Secure Shell (SSH) is an encrypted key used by Linux users to connect to remote servers.
Normally, two ways users can access to their servers – password based authentication or public key based authentication.
Public key based authentication is highly recommended, as a safer alternative to passwords authentication.
Here I will show you the steps how to generate and setup SSH key on CentOS 7. I also show you how to connect remote server using ssh key and How to disable password authentication.
- Verify SSH is Installed or not. (If installed we will get the result of SSH version information)
To check if the package is installed, run the command:
ssh -V
If the remote server already has SSH, the command shows you which version is running. Currently, my version is OpenSSH_7.4p1.
We will create SSH Key on local machine. Here I will show how to create SSH key on Windows machine and how to create SSH key on Linux machine.
Creating SSH key on Windows machine (Windows based user)
I am using putty key generator for creating ssh key. (You can download puttygen from this link: https://www.puttygen.com/download-putty)
Open the software Putty key generator and click Generate button.
Move your cursor continually from various angle till you get the key.
Once you get the key, go to Key passphrase and give some number. (Here I use 123456). Now click Save public key and again save private key on your local directory.
Done!
Creating SSH key on CentOS (Linux based user)
Step 1: Generate SSH Key
1. I going to create 2048-bit RSA key pair using the command:
ssh-keygen -t rsaIf you want to tighten up more security, you can create a 4096-bit key by adding the -b 4096 flag:
ssh-keygen -t rsa -b 40962. After previous command, you should see something like that:
Generating public/private rsa key pair.Enter file in which to save the key (home/your_username/.ssh/id_rsa):3. Save the file in suggested directory, press Enter. Otherwise, you can specify another location.
4. Next, use some number for passphrase:
Enter passphrase (empty for no passphrase):
Enter same passphrase again:(Creating a passphrase isn’t mandatory, but it is highly advisable.)
5. Finally, the output ends by providing the following information:
Your identification has been saved in home/your_username/.ssh/id_rsa.
Your public key has been saved in home/your_username/.ssh/id_rsa.pub.
The key fingerprint is:
Dpd458:hKocTeG3NT-5h256w56Jj58F3iG6c0D6FUe5:HD1iFs
username@hostname
The key's randomart image is:
+------[RSA 3072]-------+
| .oo. |
| +o+. |
| + +.+ |
| o + S . |
| . E . . =.o|
| . + . B+|
| + . oo*=O|
| oo . .+o+|
| o=ooo=|
+------ [SHA256] ------+Now, you need to add public key to the remote CentOS server.
Step 2: Copy Public Key to CentOS Server
You can copy the public SSH key on the remote server using several different methods:
- using the ssh-copy-id script
- using Secure Copy (scp)
- manually copying the key
- using rsync
- upload somewhere and download into that remote server
The easiest and fastest method is ssh-copy-id. If the option is available, I recommend you to use it. Otherwise, try other method.
Copy Public Key Using ssh-copy-id
1. Use following command, specifying the SSH user account, and the IP address of the remote server:
ssh-copy-id username@remote_IPIf it is the first time you accessing that remote server from your local machine you will receive the following output:
The authenticity of host 'IP (IP)' can't be established.ECDSA key fingerprint is Dpd458:hKocTeG3NT-5h256w56Jj58F3iG6c0D6FUe5:HD1iFs.Are you sure you want to continue connecting (yes/no)? yes2. Confirm the connection – type yes and press Enter.
3. Once the id_rsa.pub key creates on the local machine, it will ask you to provide the password for the remote account. Type in the password and press Enter.
4. Once the connection has been established, the public key adds on the remote server. This is done by copying the ~/.ssh/id_rsa.pub file to the remote server’s ~/.ssh directory. You can locate it under the name authorized_keys.
5. Finally, the output tells you the number of keys added, and give you instructions on what to do next:
Number of key(s) added: 1Now try logging into the machine, with: "ssh 'username@IP'"and check to make sure that only the key(s) you wanted were added.Copy Public Key Using Secure Copy
1. First, setup an SSH connection with the remote user:
ssh username@remote_IP2. Next, create the ~/.ssh directory as well as the authorized_keys file:
mkdir -p ~/.ssh && touch ~/.ssh/authorized_keys3. Use chmod command to change the file permission:
chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keyschmod 700 makes the file executable, while chmod 600 allows the user to read and write the file.
4. Now, open a new terminal session, on the local machine.
5. Copy the content from id_rsa.pub (the SSH public key) to the previously created authorized_keys file on the remote server by typing the command:
scp ~/.ssh/id_rsa.pub username@remote_IP:~/.ssh/authorized_keysThis way, the public key has been safely stored on the remote account.
Copy Public Key Manually
1. This way you can manually add the public SSH key to the remote server, first need displays the key data from the ~/.ssh/id_rsa.pub file:
cat ~/.ssh/id_rsa.pub2. As the following image, the key starts with ssh-rsa and ends with the username of the local computer and hostname of the remote server:
3. Copy the content of the file.
4. Now, connect to the remote server where you wish to copy the public key. Use the following command to connect with the remote server:
ssh username@remote_IP5. Create a ~/.ssh directory and authorized_keys file on the remote CentOS server by following command:
mkdir -p ~/.ssh && touch ~/.ssh/authorized_keys6. Change the file permission:
chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys7. Next, open the authorized_keys file with an editor. Here I open it with Nano command, type:
nano authorized_keys8. Paste the public key, you copied in step 2, in a new line in (under the existing content).
9. Save the file (for nano Ctrl+X, Y and press enter to save and close the file).
10. Finally, login to remote server to verify that everything is setup perfectly.
Step 3: Using SSH Keys connect to Remote Server
Once you have finished the previous steps (creating an RSA Key Pair and copying the Public Key to the CentOS remote server), now you will be able to connect to the remote server without typing the password for the remote account.
All you need to do by following command:
ssh username@remote_IPIf you didn’t specify a passphrase while creating the SSH key pair, you will automatically log in the remote server.
Otherwise, type in the passphrase you supplied in the initial steps and press Enter.
Once it confirms the key automatically, it will open a new session for direct communicate with the remote server.
Step 4: How to Disable Password Authentication
It is important to Disable Password Authentication for remote Linux server, it still has a password authentication system running on the remote server. Password Authentication may increase the risk of brute force attack.
Password authentication should disable by following steps:
[Note: I prefer you to follow these steps through a non-root user account with sudo privileges, as an additional safety.]
1. Using the SSH key, log into the remote CentOS server which has administrative privileges:
ssh username@remote_host2. Next, open the SSH daemon configuration file using a text editor of your choice:
sudo nano /etc/ssh/sshd_config3. Look for the following line in the file:
PasswordAuthentication yes4. Copy the line and give # in front of (#PasswordAuthentication yes) paste the line bellow the line and change the yes value to no:
PasswordAuthentication no5. Save the ssh file and exit the text editor.
6. To enable the changes, restart the sshd service using the command:
sudo systemctl restart sshd.service7. Verify the SSH connection to the server is still functioning correctly. Open a new terminal window and type in the command:
ssh username@remote_IPConclusion
In this article, you learned how to generate/ setup SSH key pairs, import SSH key to remote server and setup an SSH key-based authentication, and disable SSH password authentication.