Public Key Authentication in Linux

The motivation for using public key authentication over simple passwords is security. Public key authentication provides cryptographic strength that even extremely long passwords can not offer. With SSH, public key authentication improves security considerably as it frees the users from remembering complicated passwords (or worse yet, writing them down).

SSH public key authentication relies on asymmetric cryptographic algorithms that generate a pair of separate keys (a key pair), one "private" and the other "public". Keep the private key secret and store it on your local computer to connect to the remote system. Conceivably, share the public key with anyone without compromising the private key; you store it on the remote system in a .ssh/authorized_keys directory.

Hands-on Exercise Overview

This hands-on exercise uses public key authentication to connect to the Ubuntu 20.04/Vagrant server by generating an SSH key pair on the local Ubuntu 22.04 machine. The connection between the local machine and the Ubuntu/Vagrant server is established using the bridged mode that allows the two machines to be in the same network.

Prerequisites:

To use SSH public key authentication:

  • The remote and local systems must have OpenSSH installed.

  • You need to be able to transfer your public key to the remote system. Therefore, you must either be able to log into the remote system with an established account username and password/passphrase, or have an administrator on the remote system add the public key to the ~/.ssh/authorized_keys file in your account.

💡
In Linux, it does not matter which distribution is used, every distribution comes preinstalled with SSH.

Steps:

  1. Open the terminal (CTRL+ALT+T).

  2. Verify that the ssh client is installed on the local machine:

     which ssh
    

    OR

     ssh -V
    
  3. Check for existing keys by listing the ssh directory with on the local machine:

     ls -l ~/.ssh
    

    Generating new keys overwrites the current ones by default. However, indicating a new name for the keys saves them to different files.

    If there are no existing keys, the output indicates the directory does not exist.

    If some keys are found, they should be backed up before continuing.

  4. Generate a key pair with ssh-keygen:

     ssh-keygen -b 4096
    
    • ssh-keygen is the tool used to create SSH keys, which are used for secure communication between machines.

    • -b specifies the number of bits in the key to create. More bits generally mean better security.

    • 4096 is the number of bits in the key. This is considered a good balance between security and performance for most SSH applications.

  1. Verify the key pair exists:

  2. View the public key:

  3. Check whether the server works by connecting to it first:

     ssh username@ip_address
    

  4. Add the public key to the server by copying it manually or using the ssh-copy-id tool:

     ssh-copy-id username@ip_address
    
  5. Public keys are in the ~/.ssh/authorized_keys file and every time a new public is added, it appears as a new one line.

  6. Now, connect to the server from the local machine by using the SSH private key and check whether the public key authentication works:

References:

  1. Set up SSH public key authentication to connect to a remote system

  2. About authentication

  3. What is SSH Public Key Authentication?

  4. How To Configure SSH Key-Based Authentication on a Linux Server

  5. Setting up public key authentication over SSH

  6. Use SSH Public Key Authentication on Linux, macOS, and Windows