With brute-force attacks becoming more and more common, it’s best to prevent any malicious users from ever being able to attempt to guess your password. That’s why it’s important to set up SSH key authentication on your Linux server. Using key-based authentication is a lot safer and can pretty much never be guessed by anyone else. It’s also super easy to set up. Let’s get right into it.
Table of Contents
1. Creating your own SSH key
On your local machine, you need to generate a new pair of keys in order to set up SSH key authentication. To do that, we’ll run:
ssh-keygen
You can then hit enter until the key is created. Or, if you want, you can setup a password on the step:
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Please keep a note of this password, as it will be required for every access to the server.
2. Copy your key to your Linux Server with ssh-copy-id
After your key is copied, there’s another command where you can copy your key to your server without needing to edit/add to the authorized_keys file manually. You can do that by running the following:
ssh-copy-id user@host -p port_number
Just remember to change the username user to your actual username, and host to your server’s hostname or IP address. This will automatically copy your public key to your server, and after that, you can try to ssh to your server. You should not be prompted to provide a password, and you’ll be automatically logged in. To test it out, run:
ssh user@host -p port_number
2.1. Copy your key when ssh-copy-id is not available
In some systems, you might not have the command ssh-copy-id available, in that case, you’ll need to do it over a traditional SSH connection. To do that, we’ll run the following pre-made command. This will work on Linux systems:
cat ~/.ssh/id_rsa.pub | ssh user@host -p port_number "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 700 -R ~/.ssh"
Just remember to change the username user to your actual username, and host to your server’s hostname or IP address. This should do all the work for you – that one line will copy your local key to your server and insert it into your authorized_keys file.
You can test it after you run this command by trying to SSH into your server:
ssh user@host -p port_number
Set up SSH key authentication on Windows
Windows doesn’t come with the commands we show in step 2.1, so here is what you need to do to set up SSH key authentication if you’re running Windows. This guide’s steps are meant for readers that are running Windows 11.
First, open the Terminal application (not as an administrator). You’ll then need to run the ssh-keygen.exe command, like so:
PS C:\Users\rosehosting> ssh-keygen.exe
You’ll then get a few questions. You can use the default directory, and then set no passphrase (you can also set one if you prefer, but you’ll need to enter your passphrase every time you want to authenticate using your key. Here’s how our output looked:
Generating public/private rsa key pair. Enter file in which to save the key (C:\Users\rosehosting/.ssh/id_rsa): Created directory 'C:\\Users\\rosehosting/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in C:\Users\rosehosting/.ssh/id_rsa Your public key has been saved in C:\Users\rosehosting/.ssh/id_rsa.pub
You now have a saved keypair. You will now need to copy the public key (the one named id_rsa.pub) to your server. First, print the public key in your terminal and copy it:
PS C:\Users\rosehosting> cat .\.ssh\id_rsa.pub
Then SSH into your server:
PS C:\Users\rosehosting> ssh.exe user@host -p port_number
Run this command to create the folder where your SSH public key will be stored:
mkdir -p ~/.ssh
You can then open a new file using your preferred text editor. We’ll use nano:
nano ~/.ssh/authorized_keys
Paste your public key into the file, save, and exit. You then need to update the file permissions on the new folder and file:
chmod 700 -R ~/.ssh
With that, your key access should be all set up. You can now log out of your server and try to log back in. You should not be prompted to enter a password anymore.
4. Disable password authentication on the server (OPTIONAL)
If you want to keep your server even more secure, you can disable the password authentication on your server. This means all users on the system will have to use ssh keys to log into it. SSH keys are more secure than passwords because they provide a stronger and more resilient authentication method. Unlike passwords which can be susceptible to brute-force attacks and other vulnerabilities, SSH keys use a pair of cryptographic keys for authentication. This makes it significantly harder for unauthorized users to gain access, enhancing overall security. Additionally, SSH keys eliminate the need to transmit passwords over the network, reducing the risk of interception and unauthorized access.
To disable password authentication, you need to edit the SSH server configuration file on your server:
sudo nano /etc/ssh/sshd_config
In there, you should find the line PasswordAuthentication – set it to no:
PasswordAuthentication no
After you finish the edit and close the file, you can restart your SSH service, and you should be good to go:
systemctl restart ssh
That’s it! You successfully configured your server to use SSH keys instead of passwords. This will make your server even more secure against potential brute force attacks, anyone knowing your password, etc. If you have an active Managed Linux VPS server with us, you don’t need to do anything from above – you can submit a support ticket to our team with your public key and our team will add it for you.