Enable SSH public key authentication
Last updated on: 2020-10-22
Authored by: James Andrade
This article describes the procedure to set up a Secure Shell (SSH) public key authentication.
Log in to the server.
Verify that the user exists:
`getent passwd <username>`
Look up the value assigned to the AuthorizedKeysFile parameter within /etc/ssh/sshd_config to determine the file where the key is stored:
`grep AuthorizedKeysFile /etc/ssh/sshd_config`
Note: The default location is ~/.ssh/authorized_keys within the user’s default home directory.
Switch to the user’s home directory:
Note: Substitute directory-path with user’s home directory path.
Check permission levels for the .ssh/ directory. It should have
0700permissions and be owned by the user.
a. If the directory does not exist, create it and set the permissions to
`mkdir -m 700 .ssh`
b. If the directory exists, you can set ownership separately:
`chmod 700 .ssh/` `chown -R username:username /path/to/home/.ssh`
Switch to .ssh/ directory and authorized_keys file:
```cd .ssh/ vim authorized_keys ll```
Add the SSH Public Key to the end of the authorized_keys file:
Change permissions to
600and ensure proper ownership of the file:
`chmod 600 authorized_keys` `chown -R username:username authorized_keys`
Disable password authentication
If you want all users to log in with public keys and not passwords, you can disable password authentication.
Important: Disabling password authentication locks users who used a password to access the server if SSH authentication is not configured for their account.
Create a backup of the sshd_config file before making any changes:
mkdir /home/username/backup cp /etc/ssh/sshd_config /home/username/backup/sshd_config.bak
Open the sshd_config file:
Find the PubkeyAuthentication parameter and set it to yes. If the line is commented, remove any comment indicators (
Find fthe PasswordAuthentication parameter within the same file and set it to
Save the changes to the file and exit the file.
Check the syntax by using
sshd -t. If there are no errors, reload
`service sshd reload`
- The private key file on your local workstation (client-side) should have permissions set to
600, and the .ssh directory should have the permissions set to
700. The authorized_keys files also work with
600is more secure.