Step Four ‚ÄĒ Add Public Key Authentication (Recommended)
The next step in securing your server is to set up public key authentication for your new user. Setting this up will increase the security of your server by requiring a private SSH key to log in.
Generate a Key Pair
If you do not already have an SSH key pair, which consists of a public and private key, you need to generate one. If you already have a key that you want to use, skip to the¬†Copy the Public Key¬†step.
To generate a new key pair, enter the following command at the terminal of your¬†local machine¬†(ie. your computer):
Assuming your local user is called "localuser", you will see output that looks like the following:
Generating public/private rsa key pair. Enter file in which to save the key (/Users/localuser/.ssh/id_rsa):
Hit return to accept this file name and path (or enter a new name).
Next, you will be prompted for a passphrase to secure the key with. You may either enter a passphrase or leave the passphrase blank.
Note:¬†If you leave the passphrase blank, you will be able to use the private key for authentication without entering a passphrase. If you enter a passphrase, you will need both the private key¬†and¬†the passphrase to log in. Securing your keys with passphrases is more secure, but both methods have their uses and are more secure than basic password authentication.
This generates a private key,¬†id_rsa, and a public key,¬†id_rsa.pub, in the¬†.ssh¬†directory of thelocaluser's home directory. Remember that the private key should not be shared with anyone who should not have access to your servers!
Copy the Public Key
After generating an SSH key pair, you will want to copy your public key to your new server. We will cover two easy ways to do this.
Option 1: Use ssh-copy-id
If your local machine has the¬†ssh-copy-id¬†script installed, you can use it to install your public key to any user that you have login credentials for.
Run the¬†ssh-copy-id¬†script by specifying the user and IP address of the server that you want to install the key on, like this:
- ssh-copy-id demo@SERVER_IP_ADDRESS
After providing your password at the prompt, your public key will be added to the remote user's.ssh/authorized_keys¬†file. The corresponding private key can now be used to log into the server.
Option 2: Manually Install the Key
Assuming you generated an SSH key pair using the previous step, use the following command at the terminal of your¬†local machine¬†to print your public key (id_rsa.pub):
This should print your public SSH key, which should look something like the following:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDBGTO0tsVejssuaYR5R3Y/i73SppJAhme1dH7W2c47d4gOqB4izP0+fRLfvbz/tnXFz4iOP/H6eCV05hqUhF+KYRxt9Y8tVMrpDZR2l75o6+xSbUOMu6xN+uVF0T9XzKcxmzTmnV7Na5up3QM3DoSRYX/EP3utr2+zAqpJIfKPLdA74w7g56oYWI9blpnpzxkEd3edVJOivUkpZ4JoenWManvIaSdMTJXMy3MtlQhva+j9CgguyVbUkdzK9KKEuah+pFZvaugtebsU+bllPTB0nlXGIJk98Ie9ZtxuY3nCKneB+KjKiXrAvXUPCI9mWkYS/1rggpFmu3HbXBnWSUdf email@example.com
Select the public key, and copy it to your clipboard.
Add Public Key to New Remote User
To enable the use of SSH key to authenticate as the new remote user, you must add the public key to a special file in the user's home directory.
On the server, as the¬†root¬†user, enter the following command to switch to the new user (substitute your own user name):
Now you will be in your new user's home directory.
Create a new directory called¬†.ssh¬†and restrict its permissions with the following commands:
Now open a file in¬†.ssh¬†called¬†authorized_keys¬†with a text editor. We will use¬†nano¬†to edit the file:
- nano .ssh/authorized_keys
Now insert your public key (which should be in your clipboard) by pasting it into the editor.
Hit¬†CTRL-X¬†to exit the file, then¬†Y¬†to save the changes that you made, then¬†ENTER¬†to confirm the file name.
Now restrict the permissions of the¬†authorized_keys¬†file with this command:
- chmod 600 .ssh/authorized_keys
Type this command¬†once¬†to return to the¬†root¬†user:
Now you may SSH login as your new user, using the private key as authentication.
To read more about how key authentication works, read this tutorial:¬†How To Configure SSH Key-Based Authentication on a Linux Server.