How to add Public Key Authentication for Ubuntu 16.04 server

Published by Igor Khrupin on

For better security we should use public key authentication on the server.

Here is steps how to do it.

1. Generate SSH key pair on your local computer.

Skip if you already have ssh key pair in your local computer

ssh-keygen

Output:

Generating public/private rsa key pair.
Enter file in which to save the key (/home/igor/.ssh/id_rsa):

Hit ENTER and enter passphrase for your SSH key pair. Full output should be like this:

Generating public/private rsa key pair.
Enter file in which to save the key (/home/igor/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/igor/.ssh/id_rsa.
Your public key has been saved in /home/igor/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:agKodBlKuZFsGd/KGdoZYUeUjdsiyrbZy3jTctp9Q/s igor@ubuntu-server
The key's randomart image is:
+---[RSA 2048]----+
|oo=.             |
|.=*.o            |
| O= oo           |
|+oO.X            |
|==oO    S        |
|+o..   . .       |
|o + o o . .      |
| oo=.=.  +       |
| .+.*. .. oE     |
+----[SHA256]-----+

Now you have SSH key pair on your local computer.

2. Login to your server as root user and create new user.

This step can be skipped if you already have user on your server

ssh root@your_server_ip

Output:

The authenticity of host '45.55.152.45 (45.55.152.45)' can't be established.
ECDSA key fingerprint is SHA256:+oRtSBmByAohvrz2o7J7Uuaf+bqTHpDt0Rm+JAj05qaQ.
Are you sure you want to continue connecting (yes/no)?

Type YES and continue connecting to your server

Create new user. I will create user ‘igor’

adduser igor

You will be asked about Full name, Room name, phone numbers, etc. After you will be asked about information correctness. Hit ‘y‘ if all is correct.
Sure this steps can be skipped.

I’ve entered full info. So, my output is here. Your output should be like this:

Adding user `igor' ...
Adding new group `igor' (1000) ...
Adding new user `igor' (1000) with group `igor' ...
Creating home directory `/home/igor' ...
Copying files from `/etc/skel' ...
Enter new UNIX password: 
Retype new UNIX password: 
passwd: password updated successfully
Changing the user information for igor
Enter the new value, or press ENTER for the default
	Full Name []: Igor Khrupin
	Room Number []: 43
	Work Phone []: +48790865345
	Home Phone []: +48790865124
	Other []: 
Is the information correct? [Y/n] y

You just have created new user in your server

3. Add Root Privileges for your new user

This step can be skipped if you already added root privileges for your user

usermod -aG sudo igor

Now your user able to run commands with sudo

4. Add Public Key Authentication for your server

There 2 ways how to do it. One using just one command. Second one is manually.

Method 1. Using ssh-copy-id

Just run next command on your local computer

ssh-copy-id user@server_ip

In my case command is:

ssh-copy-id igor@45.51.151.45

ssh-copy-id will do all for you. You just need enter password for your server’s user.
Full output should be like this:

/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/Users/igor/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
igor@45.51.151.45's password: 

Number of key(s) added:        1

Now try logging into the machine, with:   "ssh 'igor@45.51.151.45'"
and check to make sure that only the key(s) you wanted were added.
Method 2. Manually

Add your PUBLIC key into~/.ssh/authorized_keys file on your server. First you need go to your local computer and copy this key into clipboard.
I’ve showed my key into output and copy it from there.

cat ~/.ssh/id_rsa.pub

My output with SSH public key here. Your should be like this.

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAklOUpkDHrfHY17SbrmTIpNLTGK9Tjom/BWDSU
GPl+nafzlHDTYW7hdI4yZ5ew18JH4JW9jbhUFrviQzM7xlELEVf4h9lFX5QVkbPppSwg0cda3
Pbv7kOdJ/MTyBlWXFCR+HAo3FXRitBqxiX1nKhXpHAZsMciLq8V6RjsNAQwdsdMFvSlVK/7XA
t3FaoJoAsncM1Q9x5+3V0Ww68/eIFmb1zuUFljQJKprrX88XypNDvjYNby6vw/Pb0rwert/En
mZ+AW4OZPnTPI89ZPmVMLuayrD2cE86Z/il8b+gw3r3+1nKatmIkjn2so1d01QraTlMqVSsbx
NrRFi9wrf+M7Q== igor@hrupin.com

Copy it into clipboard.

Login to your server as root and temporary switch to your user.
I’m switching to my user ‘igor’

su - igor

Create ~/.ssh dir on your server if you don’t have it and change access rights for it

mkdir ~/.ssh
chmod 700 ~/.ssh

Create ~/.ssh/authorized_keys file on your server if you don’t have it. Edit this file.

nano ~/.ssh/authorized_keys

Paste your PUBLIC ssh key into ~/.ssh/authorized_keys and save file.
To do it in nano you need hit Command+X for Mac OS or CTRL-X for Windows after hit Y and ENTER

5. Disable Password Authentication (Recommended)

Now your new user can use SSH keys to log in.
To make more better security you need disable password-only authentication.
After this your server will have public key authentication only.

Edit SSH daemon configuration using nano. It can be done using root or user with sudo rights.

command for root:

nano /etc/ssh/sshd_config

command for user with root rights

sudo nano /etc/ssh/sshd_config

Find  PasswordAuthentication, uncomment it by deleting the #, then change its value to “no“. After it line should looks like this:

PasswordAuthentication no

Also ensure that you have

PubkeyAuthentication yes
ChallengeResponseAuthentication no

Save file by hitting Command+X for Mac OS or CTRL-X for Windows after hit Y and ENTER

Restart SSH Daemon

Command for root:

systemctl reload sshd

Or for user with sudo rights

sudo systemctl reload sshd

That’s all your server is done. Let’s try how it works.

Try to connect to your server using SSH.

ssh user@your_server_ip

In my case will be next:

ssh igor@45.51.151.45

Then you should see next output:

➜  ~ ssh igor@45.51.151.45
Enter passphrase for key '/Users/igor/.ssh/id_rsa':

Enter passphrase from YOUR COMPUTER‘s ssh key.
If all is ok you will get access into your server. Like this:

➜  ~ ssh igor@45.51.151.45
Enter passphrase for key '/Users/igor/.ssh/id_rsa': 
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-101-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  Get cloud support with Ubuntu Advantage Cloud Guest:
    http://www.ubuntu.com/business/services/cloud

0 packages can be updated.
0 updates are security updates.


Last login: Sat Nov 25 10:57:24 2017 from 222.196.100.5
igor@ubuntu-server:~$

Happy coding everyone!

Share my post if you like it.


0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.