SSH is application level protocol, used to establish secure connection to remote system. Linux-based operation systems use OpenSSH suite of command line tools, including sshd - OpenSSH daemon, the SSH server daemon and ssh client, that allows to access the command line interface of a remote operating system. OpenSSH server can authenticate users using passwords, but it is less secure rather than key-based authentication.
In order to setup key-based authentication between client and remote linux-based operating systems, it is necessary to generate public and private key files. Public key file is often named as authorized key. Private key is used by client when authenticating to remote system. Public key is used by remote system to authenticate client.
Following command generates the private key and the public key files. It adds .pub extension to the public key file:
ssh-keygen -b 2048 -t rsa -f private-key-file.pem -P "" -C "email@example.com"
Input options and output files:
-b specifies the key length, often called as number of bits
-P or -N allow to set key passphrase, empty in given example;
-f sets file name for generated key;
-C optional comment, an email address in given example.
Let’s configure ssh connection between client OS and remote OS using generated keys.
First of all, it is necessary to add public key to user’s home directory of remote host, under the name of which we establish a connection. The file ~/.ssh/authorized_keys lists the public keys that are permitted for logging in. Check existence of this file on the remote host:
ls -la ~/.ssh/authorized_keys
If we add one public key, authorized keys file will look like that:
cat ~/.ssh/authorized_keys ssh-rsa ABCDB3NzaC1yc2EAAAADAQABAAACAQDK2nOYOi4swh8nJ4b4dkl/3lU7LcMGwsO8A2kw62TWZolkWClD0XpLvxUytL8IuY32Ho7TisjZrDGDiOKDklsS6yfSNcPWzCWvp56j0gZDpTYNqCspoUete2aEQ9RCQg7Y4nuOCTv3iMod2/+JYITZZYWzmGXWte3IVdlBYyRb0a7/1C1yVFRPTF4Cic/Jnzz3EB6E5LLKPiCRb9m3wfTxHpappVfPszewO5N3B9u/XTYA264yZgCZ+dN+0dOn4obWwRg2XQfWpkPkx/Hwgoy5Sjv7ZAWShuNMF+KUed9/Bm2mLuCxcUH8lP2I9In6i7dvxo73fwFgCEKSgsu9M1icGqs+Kaw8A7rpBYB7szeNCTWD9Qvr4cQW4I1nZ5Chc+gPgxvO30XcX8jIXW6AeoaZMoN912V9sYPmcLo7zzc/WyVvU2qdVWWIOCLyrruRXfFsCJVXMMx7m4z68Fwc2as7UbOqjeCEQdTL7Xt36Z98hJ9ro7abEzh+FClK7AJxgOd6usGH5L7gb9eGuhYjl9zK05yOLVz4E92b5iE2F587pkj0/TyoqBh6GP4usvus6+Gt3YiYjPOnQTHoPrIA1XNr/KEqJaqNRNU+Z/gEIOLFTHVEVp7NOc3CRNmL+8yIZGlVjzRjf2kY7iVyM452BYul/WfxM3mJaYuNN0Gua4NrFV== <key-file>.pem.pub
If this file does not exist, create it, using your favorite editor. Make sure that file access mode is 600, only owner has read/write permissions:
chmod 600 ~/.ssh/authorized_keys
Step 2. Make sure, that ssh daemon is running and listening tcp port (default one is 22). Use service command to check daemon status. For example, in RedHat-based distributions:
systemctl status sshd.service
or, in Debian-based distributions:
service ssh status
If ssh daemon hasn’t been installed, install it using OS package manager, and run explicitly. For example, in RedHat-based distributions:
sudo yum install openssh-server sudo systemctl start sshd.service
or, in Debian-based distributions:
sudo apt-get install openssh-server sudo service ssh start
Step 3. When ssh daemon is running and public key is placed in authorized keys file, we should be able to establish connection to remote host from client’s host console. Note that the user name under which the connection is established must match to the user under the name of which the authorized key file is located.
ssh -i ~/.ssh/<private-key-file>.pem ubuntu@<remote-host-ip-or-domain-name>
In example above, default Ubuntu OS user is used.
It is possible to retrieve public key from private pem file using option -y:
ssh-keygen -y -f <key-file>.pem
Might be helpful when public pem file is lost.
Ssh-keygen allows to retrieve key's fingerprints with option -l. Displaying hash algorithm can be set through option -E, default is md5:
ssh-keygen -E [ md5|sha26 ] -l -f <key-file>.pub