How to add Public Key Authentication for Ubuntu 16.04 server
For better security we should use public key authentication on the server.
Here is steps how to do it.
1. Generate SSH key pair on your local computer.
Skip if you already have ssh key pair in your local computer
Generating public/private rsa key pair. Enter file in which to save the key (/home/igor/.ssh/id_rsa):
Hit ENTER and enter passphrase for your SSH key pair. Full output should be like this:
Generating public/private rsa key pair. Enter file in which to save the key (/home/igor/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/igor/.ssh/id_rsa. Your public key has been saved in /home/igor/.ssh/id_rsa.pub. The key fingerprint is: SHA256:agKodBlKuZFsGd/KGdoZYUeUjdsiyrbZy3jTctp9Q/s igor@ubuntu-server The key's randomart image is: +---[RSA 2048]----+ |oo=. | |.=*.o | | O= oo | |+oO.X | |==oO S | |+o.. . . | |o + o o . . | | oo=.=. + | | .+.*. .. oE | +----[SHA256]-----+
Now you have SSH key pair on your local computer.
2. Login to your server as root user and create new user.
This step can be skipped if you already have user on your server
The authenticity of host '220.127.116.11 (18.104.22.168)' can't be established. ECDSA key fingerprint is SHA256:+oRtSBmByAohvrz2o7J7Uuaf+bqTHpDt0Rm+JAj05qaQ. Are you sure you want to continue connecting (yes/no)?
Type YES and continue connecting to your server
Create new user. I will create user ‘igor’
You will be asked about Full name, Room name, phone numbers, etc. After you will be asked about information correctness. Hit ‘y‘ if all is correct.
Sure this steps can be skipped.
I’ve entered full info. So, my output is here. Your output should be like this:
Adding user `igor' ... Adding new group `igor' (1000) ... Adding new user `igor' (1000) with group `igor' ... Creating home directory `/home/igor' ... Copying files from `/etc/skel' ... Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully Changing the user information for igor Enter the new value, or press ENTER for the default Full Name : Igor Khrupin Room Number : 43 Work Phone : +48790865345 Home Phone : +48790865124 Other : Is the information correct? [Y/n] y
You just have created new user in your server
3. Add Root Privileges for your new user
This step can be skipped if you already added root privileges for your user
usermod -aG sudo igor
Now your user able to run commands with sudo
4. Add Public Key Authentication for your server
There 2 ways how to do it. One using just one command. Second one is manually.
Method 1. Using ssh-copy-id
Just run next command on your local computer
In my case command is:
ssh-copy-id will do all for you. You just need enter password for your server’s user.
Full output should be like this:
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/Users/igor/.ssh/id_rsa.pub" /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys firstname.lastname@example.org's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'email@example.com'" and check to make sure that only the key(s) you wanted were added.
Method 2. Manually
Add your PUBLIC key into~/.ssh/authorized_keys file on your server. First you need go to your local computer and copy this key into clipboard.
I’ve showed my key into output and copy it from there.
My output with SSH public key here. Your should be like this.
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAklOUpkDHrfHY17SbrmTIpNLTGK9Tjom/BWDSU GPl+nafzlHDTYW7hdI4yZ5ew18JH4JW9jbhUFrviQzM7xlELEVf4h9lFX5QVkbPppSwg0cda3 Pbv7kOdJ/MTyBlWXFCR+HAo3FXRitBqxiX1nKhXpHAZsMciLq8V6RjsNAQwdsdMFvSlVK/7XA t3FaoJoAsncM1Q9x5+3V0Ww68/eIFmb1zuUFljQJKprrX88XypNDvjYNby6vw/Pb0rwert/En mZ+AW4OZPnTPI89ZPmVMLuayrD2cE86Z/il8b+gw3r3+1nKatmIkjn2so1d01QraTlMqVSsbx NrRFi9wrf+M7Q== firstname.lastname@example.org
Copy it into clipboard.
Login to your server as root and temporary switch to your user.
I’m switching to my user ‘igor’
su - igor
Create ~/.ssh dir on your server if you don’t have it and change access rights for it
mkdir ~/.ssh chmod 700 ~/.ssh
Create ~/.ssh/authorized_keys file on your server if you don’t have it. Edit this file.
Paste your PUBLIC ssh key into ~/.ssh/authorized_keys and save file.
To do it in nano you need hit Command+X for Mac OS or CTRL-X for Windows after hit Y and ENTER
5. Disable Password Authentication (Recommended)
Now your new user can use SSH keys to log in.
To make more better security you need disable password-only authentication.
After this your server will have public key authentication only.
Edit SSH daemon configuration using nano. It can be done using root or user with sudo rights.
command for root:
command for user with root rights
sudo nano /etc/ssh/sshd_config
Find PasswordAuthentication, uncomment it by deleting the #, then change its value to “no“. After it line should looks like this:
Also ensure that you have
PubkeyAuthentication yes ChallengeResponseAuthentication no
Save file by hitting Command+X for Mac OS or CTRL-X for Windows after hit Y and ENTER
Restart SSH Daemon
Command for root:
systemctl reload sshd
Or for user with sudo rights
sudo systemctl reload sshd
That’s all your server is done. Let’s try how it works.
Try to connect to your server using SSH.
In my case will be next:
Then you should see next output:
➜ ~ ssh email@example.com Enter passphrase for key '/Users/igor/.ssh/id_rsa':
Enter passphrase from YOUR COMPUTER‘s ssh key.
If all is ok you will get access into your server. Like this:
➜ ~ ssh firstname.lastname@example.org Enter passphrase for key '/Users/igor/.ssh/id_rsa': Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-101-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage Get cloud support with Ubuntu Advantage Cloud Guest: http://www.ubuntu.com/business/services/cloud 0 packages can be updated. 0 updates are security updates. Last login: Sat Nov 25 10:57:24 2017 from 22.214.171.124 igor@ubuntu-server:~$
Happy coding everyone!
Share my post if you like it.