How To Use SSH Keys on Linux/Mac OS X Clients
Using encrypted keys for authentication offers two main benefits. Firstly, it is convenient as you no longer need to enter a password (unless you encrypt your keys with password protection) if you use public/private keys. Secondly, once public/private key pair authentication has been set up on the server, you can disable password authentication completely meaning that without an authorized key you can't gain access - so no more password cracking attempts.
It's a relatively simple process to create a public/private key pair and install them for use on your ssh server. The command-line tools to create and use SSH are standard, and should be present on Mac OS X and most Linux distributions. You generate an SSH key through Mac OS X by using the Terminal application.
Step 1: Create the RSA Key Pair
First, create a public/private key pair on the client that you will use to connect to the server (you will need to do this from each client machine from which you connect):
ssh-keygen -t rsa
This will create two files stored in your (hidden) ~/.ssh directory called: id_rsa and id_rsa.pub The first: id_rsa is your private key (which you never want to share) and the other: id_rsa.pub is your public key.
If you don't want to still be asked for a passphrase (which is basically a password to unlock a given public key) each time you connect, just press enter when asked for a passphrase when creating the key pair. It is up to you to decide whether or not you should add the passphrase protective encryption to your key when you create it. If you don't passphrase protect your key, then anyone gaining access to your local machine will automatically have ssh access to the remote server. Also, root on the local machine has access to your keys although one assumes that if you can't trust root (or root is compromised) then you're in real trouble. Encrypting the key adds additional security at the expense of eliminating the need for entering a password for the ssh server only to be replaced with entering a passphrase for the use of the key.
Step 2: Upload the Public Key
Once the key pair is generated, it's time to place the public key on your server.
You can copy the public key into the server's authorized_keys file with the ssh-copy-id command. Make sure to replace the example username and IP address below.
Alternatively, you can paste in the keys using SSH:
cat ~/.ssh/id_rsa.pub | ssh firstname.lastname@example.org "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys
Now you can log into email@example.com and you will not be prompted for a password. However, if you set a passphrase, you will be asked to enter the passphrase at that time (and whenever else you log in in the future).
Step 3 (Optional): Disable the Password for Root Login via SSH
Once you have copied your SSH keys unto your server and ensured that you can log in with the SSH keys alone, you can restrict the root login to only be permitted via SSH keys.
In order to do this, open up the /etc/ssh/sshd_config file:
Within that file, find the line that includes PermitRootLogin and modify it to ensure that users can only connect with their SSH key:
Alternatively, if you have configured sudo on your server and are configuring SSH keys for a sudo user, you can disable direct root access altogether:
- By default, SSH keys are only available for Linux. They are not supported for Windows Server operating systems.