Documentation
System StatusPortal Login

Enable SSH public key authentication

Suggest Edits

This article describes the procedure to set up a Secure Shell (SSH) public key authentication.

  1. Ensure you have the Public part of you SSH key ready - that's the contents of the file id_rsa.pub that you might have generated in https://docs.rackspace.com/docs/connecting-to-a-server-using-ssh-on-linux-or-mac-os.

  2. Log in to the server.

  3. Verify that the user exists:

    getent passwd <username>

  4. Look up the value assigned to the AuthorizedKeysFile parameter within /etc/ssh/sshd_config to determine the file where the key is stored:

     grep AuthorizedKeysFile /etc/ssh/sshd_config

    Note: The default location is ~/.ssh/authorized_keys within the user's default home directory.

  5. Switch to the user's home directory:

    cd /home/<username>

  6. Check permission levels for the .ssh/ directory. It should have 0700 permissions and be owned by the user.

     ls -hald .ssh

    a. If the directory does not exist, create it and set the permissions to 0700:

     mkdir -m 700 .ssh

    b. If the directory exists, but ownership and permissions are incorrect, correct it using:

     chmod 700 .ssh/
 chown -R username:username .ssh

  7. Switch to .ssh/ directory and edit the authorized_keys file:

    cd .ssh/
vim authorized_keys

  8. Add the SSH Public Key to the end of the authorized_keys file:

    ssh-rsa AAAThisIsAnExamplePublicPortionOfAPublicPrivateKeyPairIsMuchShorterThanARealOne/1/2/3/4/5/6/7/8/9/0t05WFE= [email protected]

  9. Check and update the authorized_keys file permission to 600 and ensure proper ownership of the file:

    ls -hal authorized_keys

chmod 600 authorized_keys
chown -R username:username authorized_keys

Disable password authentication

If you want all users to log in with public keys and not passwords, you can disable password authentication.

Important: Disabling password authentication locks out all users who used a password to access the server if SSH authentication is not already configured for their account.

  1. Create a backup of the sshd_config file before making any changes:

    mkdir /home/username/backup
cp /etc/ssh/sshd_config /home/username/backup/sshd_config.bak

  2. Edit the sshd_config file:

    vim /etc/ssh/sshd_config

  3. Find the PubkeyAuthentication parameter and set it to yes. If the line is commented, remove any
    comment indicators (#).

  4. Find the PasswordAuthentication parameter within the same file and set it to no.

  5. Save the changes to the file and exit the file.

  6. Check the syntax by using sshd -t. If there are no errors, reload sshd:

    service sshd reload

Additional notes:

  1. The private key file on your local workstation (client-side) should have permissions set to
    600, and the .ssh directory should have the permissions set to 700. The
    authorized_keys files also work with 644 permissions, but 600 is
    more secure.

Updated 10 days ago