Setup ssh key-based authentication

SSH is application level protocol, used to establish secure connection to remote system. Linux-based operation systems use OpenSSH suite of command line tools, including sshd - OpenSSH daemon, the SSH server daemon and ssh client, that allows to access the command line interface of a remote operating system. OpenSSH server can authenticate users using passwords, but it is less secure rather than key-based authentication.

Generate ssh keys in pem format with using command line

In order to setup key-based authentication between client and remote linux-based operating systems, it is necessary to generate public and private key files. Public key file is often named as authorized key. Private key is used by client when authenticating to remote system. Public key is used by remote system to authenticate client.

Following command generates the private key and the public key files. It adds .pub extension to the public key file:

ssh-keygen -b 2048 -t rsa -f private-key-file.pem -P "" -C ""

Input options and output files:
-b specifies the key length, often called as number of bits
-P or -N allow to set key passphrase, empty in given example;
-f sets file name for generated key;
-C optional comment, an email address in given example.

Configure ssh key-based authentication between client OS and server OS

Let’s configure ssh connection between client OS and remote OS using generated keys.
First of all, it is necessary to add public key to user’s home directory of remote host, under the name of which we establish a connection. The file ~/.ssh/authorized_keys lists the public keys that are permitted for logging in. Check existence of this file on the remote host:

ls -la ~/.ssh/authorized_keys

If we add one public key, authorized keys file will look like that:

cat ~/.ssh/authorized_keys
ssh-rsa ABCDB3NzaC1yc2EAAAADAQABAAACAQDK2nOYOi4swh8nJ4b4dkl/3lU7LcMGwsO8A2kw62TWZolkWClD0XpLvxUytL8IuY32Ho7TisjZrDGDiOKDklsS6yfSNcPWzCWvp56j0gZDpTYNqCspoUete2aEQ9RCQg7Y4nuOCTv3iMod2/+JYITZZYWzmGXWte3IVdlBYyRb0a7/1C1yVFRPTF4Cic/Jnzz3EB6E5LLKPiCRb9m3wfTxHpappVfPszewO5N3B9u/XTYA264yZgCZ+dN+0dOn4obWwRg2XQfWpkPkx/Hwgoy5Sjv7ZAWShuNMF+KUed9/Bm2mLuCxcUH8lP2I9In6i7dvxo73fwFgCEKSgsu9M1icGqs+Kaw8A7rpBYB7szeNCTWD9Qvr4cQW4I1nZ5Chc+gPgxvO30XcX8jIXW6AeoaZMoN912V9sYPmcLo7zzc/WyVvU2qdVWWIOCLyrruRXfFsCJVXMMx7m4z68Fwc2as7UbOqjeCEQdTL7Xt36Z98hJ9ro7abEzh+FClK7AJxgOd6usGH5L7gb9eGuhYjl9zK05yOLVz4E92b5iE2F587pkj0/TyoqBh6GP4usvus6+Gt3YiYjPOnQTHoPrIA1XNr/KEqJaqNRNU+Z/gEIOLFTHVEVp7NOc3CRNmL+8yIZGlVjzRjf2kY7iVyM452BYul/WfxM3mJaYuNN0Gua4NrFV== <key-file>

If this file does not exist, create it, using your favorite editor. Make sure that file access mode is 600, only owner has read/write permissions:

chmod 600 ~/.ssh/authorized_keys

Step 2. Make sure, that ssh daemon is running and listening tcp port (default one is 22). Use service command to check daemon status. For example, in RedHat-based distributions:

systemctl status sshd.service

or, in Debian-based distributions:

service ssh status

If ssh daemon hasn’t been installed, install it using OS package manager, and run explicitly. For example, in RedHat-based distributions:

sudo yum install openssh-server
sudo systemctl start sshd.service

or, in Debian-based distributions:

sudo apt-get install openssh-server
sudo service ssh start

Step 3. When ssh daemon is running and public key is placed in authorized keys file, we should be able to establish connection to remote host from client’s host console. Note that the user name under which the connection is established must match to the user under the name of which the authorized key file is located.

ssh -i ~/.ssh/<private-key-file>.pem ubuntu@<remote-host-ip-or-domain-name>

In example above, default Ubuntu OS user is used.

Retrieve public/authorized key from public key file

It is possible to retrieve public key from private pem file using option -y:

ssh-keygen -y -f <key-file>.pem

Might be helpful when public pem file is lost.

Retrieve key's fingerprint from public/authorized pem file

Ssh-keygen allows to retrieve key's fingerprints with option -l. Displaying hash algorithm can be set through option -E, default is md5:

ssh-keygen -E [ md5|sha26 ] -l -f <key-file>.pub