There are times when you want to make your passwords in your Linux server more sophisticated and more resistant to brute-force or dictionary attack hacking. However, doing so makes it more inconvenient to enter passwords during remote login or during sudo commands.

Now imagine if you have a very sophisticated password (we're talking about more than a thousand random characters). Then imagine you don't have to type the password when logging in the Linux server. In essence - more secure password but more convenient to enter! Normally, you are trading your convenience (harder to remember password and type in) as your password gets longer and more sophisticated.

This setup can be achieved using ssh keys. In summary, all you need to do is:

  1. Generate your private and public keys.
  2. Copy your public key to your server/s.
  3. SSH Login using your private key (no need to enter password unless you have a passphrase in your private key).

Here's a simple table that maps the path/filename of client and server. Remember, the private key should in your workstation and the public key should be in the server.

Client File Path Private Key Server File Path Public Key
~/.ssh/private.key -----BEGIN RSA PRIVATE KEY-----
AKLKAkm4w3W8UbBYawktah
OggOI3XU8FbaIdEML0O0o4...
-----END RSA PRIVATE KEY-----
~/.ssh/authorized_keys ssh-rsa AAAAB3NzaC1y...
n7j+zpN9vYMjzpN9Nb
NboZaeJwssFGpI3XU8...

When the above is setup properly you should be able to login using the command:

# No need to enter password (unless you have a passphrase in your private key
ssh -i private.key <username>@<hostname.com>

Optional but recommended steps are:

  1. Copy all private keys to all your client machines and public keys to all your server machines.
  2. Backup your private/public key pairs.
  3. Disable password login in your Linux servers.

My personal setup is I only use one public and private key pair for all my servers and all my client terminals. That means if you are using 1 Macbook, 1 Windows Laptop, and 1 Windows Desktop and you have 3 Linux servers you'll only be using 1 private/public key pair for all the above permutations. Lastly, for convenience you may want your passphrase for your private key to be blank so that you don't have to type-in my passphrase every login (the private key is secure enough for my need).

Generate your private and public key pair

# When asked for name enter private.key
ssh-keygen -t rsa -b 2048 -C "test@example.com"

If you enter "private.key" when asked for file name to save the keys you'll have two files namely:

  1. private.key
  2. private.key.pub

Rename your private.key.pub to public.key. Obviously, if you are advance user name your keys to whatever you like. The naming is just to emphasize that you can have one private and public key pair to all machines and servers.

At this point you have:

  1. private.key
  2. public.key

As convention, you might want to put the keys to ~/.ssh.

Copy your public key to server

scp public.key <username>@<hostname>.com:/home/<username>/.ssh

Rename your public key to authorized_keys.

cd ~/.ssh
mv public.key authorized_keys

authorized_keys by default is the name identifed by ssh server as collection of authorized public keys. Note that, you can have several public keys in authorized_keys however this page is about a simpler approach of one private/public key pair to all workstations and servers.

SSH Login using your private key

cd .ssh
ssh -i private.key <username>@<hostname.com>

There are ways to automate this so that you don't have to enter your private key filename but is outside the scope of this page. I like entering my private keys manually because it is a command that I can use regardless of operating system (In Win 10 ssh is already built-in if you enable it).

Copy private/public key pairs to client/server machines

In favor of convenience, you can have your private key copied to all your client machines and your public key to all servers. Usually this is located at ~/.ssh folder for both client and server.

Backup your private/public key pair

The way I backup my keys is to just copy paste my private and public key to my password manager. This is handy because for example I want to login to my servers from my family member's laptop, all I need to do is copy paste my private key from my password manager and put it in a text file named private.key before logging in using ssh -i private.key <username>@<hostname.com>.

Disable password login in your Linux servers

DISCLAIMER: Be careful here and make sure you can already login using ssh keys before trying this since there is a danger of a lockout.

If you corrupt or deleted your ~/.ssh/authorized_keys in the server or lose your private key you can be locked out. In my case, I have a backup user for every server that contains the same ~/.ssh/authorized_keys so that if for some reason I deleted/corrupted this file then I can login on a separate user using the same private key. Also, all my applications and databases are properly backed up and have Git repositories so I can rebuild everything from scratch if I accidentally locked myself out so please use with caution!

In /etc/ssh/sshd_config, look for PasswordAuthentication and change to no.

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no 

Restart your ssh server.

sudo service ssh restart

Conclusion

Using the approach described ie. single private/public key pairs (without private key passphrase) to all clients and server machines, you can have a very secure Linux server and the convenience of not typing any password from any trusted machine.