There are times when you want to make your passwords in your Linux server more sophisticated and more resistant to brute-force or dictionary attack hacking. However, doing so makes it more inconvenient to enter passwords during remote login or during
Now imagine if you have a very sophisticated password (we're talking about more than a thousand random characters). Then imagine you don't have to type the password when logging in the Linux server. In essence - more secure password but more convenient to enter! Normally, you are trading your convenience (harder to remember password and type in) as your password gets longer and more sophisticated.
This setup can be achieved using
ssh keys. In summary, all you need to do is:
- Generate your private and public keys.
- Copy your public key to your server/s.
- SSH Login using your private key (no need to enter password unless you have a passphrase in your private key).
Here's a simple table that maps the path/filename of client and server. Remember, the private key should in your workstation and the public key should be in the server.
|Client File Path||Private Key||Server File Path||Public Key|
|~/.ssh/private.key||-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
When the above is setup properly you should be able to login using the command:
# No need to enter password (unless you have a passphrase in your private key ssh -i private.key <username>@<hostname.com>
Optional but recommended steps are:
- Copy all private keys to all your client machines and public keys to all your server machines.
- Backup your private/public key pairs.
- Disable password login in your Linux servers.
My personal setup is I only use one public and private key pair for all my servers and all my client terminals. That means if you are using 1 Macbook, 1 Windows Laptop, and 1 Windows Desktop and you have 3 Linux servers you'll only be using 1 private/public key pair for all the above permutations. Lastly, for convenience you may want your passphrase for your private key to be blank so that you don't have to type-in my passphrase every login (the private key is secure enough for my need).
Generate your private and public key pair
# When asked for name enter private.key ssh-keygen -t rsa -b 2048 -C "email@example.com"
If you enter "private.key" when asked for file name to save the keys you'll have two files namely:
public.key. Obviously, if you are advance user name your keys to whatever you like. The naming is just to emphasize that you can have one private and public key pair to all machines and servers.
At this point you have:
As convention, you might want to put the keys to
Copy your public key to server
scp public.key <username>@<hostname>.com:/home/<username>/.ssh
Rename your public key to
cd ~/.ssh mv public.key authorized_keys
authorized_keys by default is the name identifed by ssh server as collection of authorized public keys. Note that, you can have several public keys in authorized_keys however this page is about a simpler approach of one private/public key pair to all workstations and servers.
SSH Login using your private key
cd .ssh ssh -i private.key <username>@<hostname.com>
There are ways to automate this so that you don't have to enter your private key filename but is outside the scope of this page. I like entering my private keys manually because it is a command that I can use regardless of operating system (In Win 10 ssh is already built-in if you enable it).
Copy private/public key pairs to client/server machines
In favor of convenience, you can have your private key copied to all your client machines and your public key to all servers. Usually this is located at
~/.ssh folder for both client and server.
Backup your private/public key pair
The way I backup my keys is to just copy paste my private and public key to my password manager. This is handy because for example I want to login to my servers from my family member's laptop, all I need to do is copy paste my private key from my password manager and put it in a text file named
private.key before logging in using
ssh -i private.key <username>@<hostname.com>.
Disable password login in your Linux servers
DISCLAIMER: Be careful here and make sure you can already login using ssh keys before trying this since there is a danger of a lockout.
If you corrupt or deleted your
~/.ssh/authorized_keysin the server or lose your private key you can be locked out. In my case, I have a backup user for every server that contains the same
~/.ssh/authorized_keysso that if for some reason I deleted/corrupted this file then I can login on a separate user using the same private key. Also, all my applications and databases are properly backed up and have Git repositories so I can rebuild everything from scratch if I accidentally locked myself out so please use with caution!
/etc/ssh/sshd_config, look for
PasswordAuthentication and change to
# To disable tunneled clear text passwords, change to no here! PasswordAuthentication no
Restart your ssh server.
sudo service ssh restart
Using the approach described ie. single private/public key pairs (without private key passphrase) to all clients and server machines, you can have a very secure Linux server and the convenience of not typing any password from any trusted machine.