Enable SSH public key authentication

This article describes the procedure to set up a Secure Shell (SSH) public key authentication.

  1. Log in to the server.

  2. Verify that the user exists:

    `getent passwd <username>`
  3. Look up the value assigned to the AuthorizedKeysFile parameter within
    /etc/ssh/sshd_config to determine the file where the key is stored:

     `grep AuthorizedKeysFile /etc/ssh/sshd_config`

    Note: The default location is ~/.ssh/authorized_keys within the
    user's default home directory.

  4. Switch to the user's home directory:

    `cd /directory-path`

    Note: Substitute directory-path with user's home directory path.

  5. Check permission levels for the .ssh/ directory. It should have 0700
    permissions and be owned by the user.

     `ls .ssh`

    a. If the directory does not exist, create it and set the permissions to 0700:

     `mkdir -m 700 .ssh`

    b. If the directory exists, you can set ownership separately:

     `chmod 700 .ssh/`
     `chown -R username:username /path/to/home/.ssh`
  6. Switch to .ssh/ directory and authorized_keys file:

    ```cd .ssh/
    vim authorized_keys
  7. Add the SSH Public Key to the end of the authorized_keys file:

    `vim authorized_keys`
  8. Change permissions to 600 and ensure proper ownership of the file:

    `chmod 600 authorized_keys`
    `chown -R username:username authorized_keys`

Disable password authentication

If you want all users to log in with public keys and not passwords, you can disable password authentication.

Important: Disabling password authentication locks users who used a password
to access the server if SSH authentication is not configured for their account.

  1. Create a backup of the sshd_config file before making
    any changes:

    mkdir /home/username/backup
    cp /etc/ssh/sshd_config /home/username/backup/sshd_config.bak
  2. Open the sshd_config file:

    `vim /etc/ssh/sshd_config`
  3. Find the PubkeyAuthentication parameter and set it to yes. If the line is commented, remove any
    comment indicators (#).

  4. Find fthe PasswordAuthentication parameter within the same file and set it to no.

  5. Save the changes to the file and exit the file.

  6. Check the syntax by using sshd -t. If there are no errors, reload sshd:

    `service sshd reload`

Additional notes:

  1. The private key file on your local workstation (client-side) should have permissions set to
    600, and the .ssh directory should have the permissions set to 700. The
    authorized_keys files also work with 644 permissions, but 600 is
    more secure.