# Public Key Authentication in Linux

The motivation for using public key [authentication](https://kb.iu.edu/d/alqk) over simple passwords is security. [Public key authentication](https://www.ssh.com/academy/ssh/public-key-authentication) provides cryptographic strength that even extremely long passwords can not offer. With [**SSH**](https://www.ssh.com/ssh/), public key authentication improves security considerably as it frees the users from remembering complicated passwords (or worse yet, writing them down).

SSH public key authentication relies on asymmetric cryptographic algorithms that generate a pair of separate keys (a key pair), one "***private***" and the other "***public***". Keep the private key secret and store it on your local computer to connect to the remote system. Conceivably, share the public key with anyone without compromising the private key; you store it on the remote system in a `.ssh/authorized_keys` directory.

## Hands-on Exercise Overview

This hands-on exercise uses public key authentication to connect to the Ubuntu 20.04/Vagrant server by generating an SSH key pair on the local Ubuntu 22.04 machine. The connection between the local machine and the Ubuntu/Vagrant server is established using the [bridged mode](https://github.com/karlakz/vagrant-templates/tree/main/ubuntu-in-bridge-mode) that allows the two machines to be in the same network.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1710590978860/956e97f3-b238-49bf-b139-b65a105e1ca5.png align="center")

## Prerequisites:

To use SSH public key authentication:

* The remote and local systems must have OpenSSH installed.
    
* You need to be able to transfer your public key to the remote system. Therefore, you must either be able to log into the remote system with an established account username and password/passphrase, or have an administrator on the remote system add the public key to the `~/.ssh/authorized_keys` file in your account.
    

<div data-node-type="callout">
<div data-node-type="callout-emoji">💡</div>
<div data-node-type="callout-text">In Linux, it does not matter which distribution is used, every distribution comes preinstalled with SSH.</div>
</div>

## **Steps:**

1. Open the terminal (**CTRL**+**ALT**+**T**).
    
2. Verify that the ssh client is installed on the local machine:
    
    ```bash
    which ssh
    ```
    
    OR
    
    ```bash
    ssh -V
    ```
    
3. Check for existing keys by listing the `ssh` directory with on the local machine:
    
    ```bash
    ls -l ~/.ssh
    ```
    
    Generating new keys overwrites the current ones by default. However, indicating a new name for the keys saves them to different files.
    
    If there are no existing keys, the output indicates the directory does not exist.
    
    If some keys are found, they should be backed up before continuing.
    
4. Generate a key pair with `ssh-keygen`:
    
    ```bash
    ssh-keygen -b 4096
    ```
    
    * `ssh-keygen` is the tool used to create SSH keys, which are used for secure communication between machines.
        
    * `-b` specifies the number of bits in the key to create. More bits generally mean better security.
        
    * `4096` is the number of bits in the key. This is considered a good balance between security and performance for most SSH applications.
        
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1710502786551/43eb8981-20da-4764-90c4-f5c49910fbe6.png align="center")
    
5. Verify the key pair exists:
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1710503010782/521d45f7-2825-4d59-b264-693e780c5497.png align="center")
    
6. View the public key:
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1710503992549/c312fff7-ee1f-490c-a033-73a6077d963b.png align="center")
    
7. Check whether the server works by connecting to it first:
    
    ```bash
    ssh username@ip_address
    ```
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1710505402017/de006138-77eb-47f4-a55d-96adfba288a9.png align="center")
    
8. Add the public key to the server by copying it manually or using the `ssh-copy-id` tool:
    
    ```bash
    ssh-copy-id username@ip_address
    ```
    
9. Public keys are in the `~/.ssh/authorized_keys` file and every time a new public is added, it appears as a new one line.
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1710504234970/9c12372d-7526-45f4-910f-e5cf4b78ab6d.png align="center")
    
10. Now, connect to the server from the local machine by using the SSH private key and check whether the public key authentication works:
    
    ![](https://cdn.hashnode.com/res/hashnode/image/upload/v1710505492184/5a3590c0-b0c9-4472-a40b-0d86190d1261.png align="center")
    

## References:

1. [**Set up SSH public key authentication to connect to a remote system**](https://kb.iu.edu/d/aews)
    
2. [**About authentication**](https://kb.iu.edu/d/alqk)
    
3. [**What is SSH Public Key Authentication?**](https://www.ssh.com/academy/ssh/public-key-authentication)
    
4. [How To Configure SSH Key-Based Authentication on a Linux Server](https://www.digitalocean.com/community/tutorials/how-to-configure-ssh-key-based-authentication-on-a-linux-server)
    
5. [Setting up public key authentication over SSH](https://www.ibm.com/docs/en/db2/11.1?topic=profile-setting-up-public-key-authentication-over-ssh)
    
6. [Use SSH Public Key Authentication on Linux, macOS, and Windows](https://www.linode.com/docs/guides/use-public-key-authentication-with-ssh/)
