Enable SSH public key authentication
This article describes the procedure to set up a Secure Shell (SSH) public key authentication.
-
Log in to the server.
-
Verify that the user exists:
`getent passwd <username>`
-
Look up the value assigned to the AuthorizedKeysFile parameter within
/etc/ssh/sshd_config to determine the file where the key is stored:`grep AuthorizedKeysFile /etc/ssh/sshd_config`
Note: The default location is ~/.ssh/authorized_keys within the
user's default home directory. -
Switch to the user's home directory:
`cd /directory-path`
Note: Substitute directory-path with user's home directory path.
-
Check permission levels for the .ssh/ directory. It should have
0700
permissions and be owned by the user.`ls .ssh`
a. If the directory does not exist, create it and set the permissions to
0700
:`mkdir -m 700 .ssh`
b. If the directory exists, you can set ownership separately:
`chmod 700 .ssh/` `chown -R username:username /path/to/home/.ssh`
-
Switch to .ssh/ directory and authorized_keys file:
```cd .ssh/ vim authorized_keys ll```
-
Add the SSH Public Key to the end of the authorized_keys file:
`vim authorized_keys`
-
Change permissions to
600
and ensure proper ownership of the file:`chmod 600 authorized_keys` `chown -R username:username authorized_keys`
Disable password authentication
If you want all users to log in with public keys and not passwords, you can disable password authentication.
Important: Disabling password authentication locks users who used a password
to access the server if SSH authentication is not configured for their account.
-
Create a backup of the sshd_config file before making
any changes:mkdir /home/username/backup cp /etc/ssh/sshd_config /home/username/backup/sshd_config.bak
-
Open the sshd_config file:
`vim /etc/ssh/sshd_config`
-
Find the PubkeyAuthentication parameter and set it to yes. If the line is commented, remove any
comment indicators (#
). -
Find fthe PasswordAuthentication parameter within the same file and set it to
no
. -
Save the changes to the file and exit the file.
-
Check the syntax by using
sshd -t
. If there are no errors, reloadsshd
:`service sshd reload`
Additional notes:
- The private key file on your local workstation (client-side) should have permissions set to
600
, and the .ssh directory should have the permissions set to700
. The
authorized_keys files also work with644
permissions, but600
is
more secure.
Updated 12 months ago