Results 1 to 10 of 37

Thread: HOWTO: SSH & Public Keys

Threaded View

  1. #1
    Join Date
    Apr 2005
    Ubuntu 14.04 Trusty Tahr

    HOWTO: SSH & Public Keys

    Since SSH (Secure Shell) scans are so common anymore I wanted to add better protection to my server so I configured SSH to only allow logins with public & private keys instead of password authentication. This is how I set it up on Ubuntu however it should work on any version of Linux. Don't be afraid of the length of this tutorial it's really pretty simple and only a few commands. This HowTo ended up longer than I anticipated because I wanted to explain each step as best I could.

    This HowTo assumes that you already have SSH installed properly.

    The first thing we need to do is generate the key pair. On your host computer go to "Applications">"System Tools">"Terminal" note this is your regular user terminal not a root terminal. Enter the following command at the terminal.

    username@ubuntu:~$ ssh-keygen -t dsa
    Generating public/private dsa key pair.
    Enter file in which to save the key (/home/username/.ssh/id_dsa):
    Enter passphrase (empty for no passphrase): 
    Enter same passphrase again:
    Your identification has been saved in /home/username/.ssh/id_dsa.
    Your public key has been saved in /home/username/.ssh/
    The key fingerprint is:
    5b:ab:73:32:9e:b8:8c:4b:29:dc:2a:2b:8c:2f:4e:45 username@ubuntu
    As you see above I chose the default location for the keys which is in the .ssh/ directory in your home directory. At the "Enter passphrase" prompt enter a strong password. This password is needed to use the key so this adds some security in case your private key ever gets stolen. Your private key needs to be protected.

    This will generate a DSA key pair. If you notice I say pair it generates a private key id_dsa and your public key which we will copy to the server.

    Next we need to copy the public key to the server.

    username@ubuntu:~$ cd .ssh/
    This moves you into .ssh directory where the keys were saved. Now to copy the public key to the server.

    username@ubuntu:~$ scp serverusername@    100% |*****************************************************|  
     614  00:00
    The "scp" command allows files to be copied to/from a remote server using the SSH protocol to establish a secure connection and to encrypt all data passing between the client and the server.

    Now that we copied the public key to the server we have to install the key in the proper directory. To do this login to the server using ssh and your usual password. We still aren't using public key authentication yet but we are close. Once logged into the server issue the following command in the terminal. Note you don't need to be logged in as root just login with your normal user account.

    username@server:~$ cd .ssh
    serverusername@server:~$ touch authorized_keys2
    serverusername@server:~$ chmod 600 authorized_keys2
    serverusername@server:~$ cat ../ >> authorized_keys2
    serverusername@server:~$ rm ../
    Ok so here we set the file permissions to 600 which is gives only the owner read and write access. Then we added the key to the file called authorized_keys2. Note it's important to use the >> because that adds the key to the file without any line breaks. Then finally we removed the key from the server. Now if you logout and log back in you should see that you are using the key authentication as shown below.

    username@ubuntu:~$ ssh -l serverusername
    Enter passphrase for key '/home/serverusername/.ssh/id_dsa':
    Linux everest 2.6.10-5-386 #1 Tue Apr 5 12:12:40 UTC 2005 i686 GNU/Linux
    The programs included with the Ubuntu system are free software;
    the exact distribution terms for each program are described in the
    individual files in /usr/share/doc/*/copyright.
    Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
    applicable law.
    You have new mail.
    Last login: Mon Apr 25 19:43:43 2005 from
    There is one more step and that is to disable password authentication on the server. Once this is set the only way to login will be with private and public keys. In order to accomplish this we have to change a line in the ssh_conf file on the server. The ssh_con file is located in the following location on the server /etc/ssh/ssh_config. Once in the file look for the following line:

    #   PasswordAuthentication yes
    Change to:
    PasswordAuthentication no
    UsePAM no
    Now that wasn't so bad was it? I am not an expert with this I just put this together from searching around on my own and figured I would put it all together in one place in case I needed to do this again and hopefully it will help someone else out.
    Last edited by Beernut; May 4th, 2005 at 05:32 AM. Reason: Fixed TYPO Added UsePAM no option
    "Beer is proof that God loves us and wants us to prosper." - Ben Franklin
    "Never argue with an idiot; they'll drag you down to their level and beat you with experience."


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts