How To Set Up OpenSSH Public Key Authentication

Secure Shell or SSH is a network protocol that allows data to be exchanged using a secure channel between two networked devices. Used primarily on GNU/Linux and Unix based systems to access shell accounts, SSH was designed as a replacement for Telnet and other insecure remote shells.

Before we start, make sure your computer has a SSH client installed and the remote Linux system has SSH installed and sshd running.

1. Generating RSA key

You will need to generate the local RSA key by running the following command:

# ssh-keygen -t rsa

Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
(It's safe to press enter here, as the /root/.ssh is the default and recommended directory to hold the RSA file.)

Enter passphrase (empty for no passphrase):
Enter same passphrase again:

The password you enter here will need to be entered every time you use the RSA key. You can set NO passphrase by pressing Enter but it's not recommended (you can change the passhrase later with "ssh-keygen -p" command).

Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.

2. Copying the public key to remote system

Once the public key has been generated, it's time to upload it on any Linux systems you usually log into. It's recommended you use scp as the file transfer utility:

# scp .ssh/id_rsa.pub username@ipaddress:~

This command will copy the id_rsa.pub file in the $HOME directory of the remote system. For instance, if you used root as the username, the file will be found in the /root directory and if you used a normal user, the file will be in the /home/username directory.

3. Enabling ssh-key authentication

Next, connect to the remote host through SSH, with the username you used in the step above. RSA authentication won't be available just yet, so you'll have to use the old method to login.
Once you are connected, add the new hostkey to the file /root/.ssh/authorized_keys or /home/username/.ssh/authorized_keys. If the .ssh directory doesn't exist, create it.

# cd $HOME
# cat id_rsa.pub >> .ssh/authorized_keys

This will add the contents of id_rsa.pub file to the authorized_keys file.

Now you have to enable key authentication in sshd_config. Edit /etc/ssh/sshd_config and uncomment or add the following lines

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile     .ssh/authorized_keys

and restart the sshd service.

To test the RSA authentication, initiate a SSH connection from to one of the Linux systems:

# ssh username@ipaddress

If everything worked out well, you should be either asked for the passpharase (if you entered one), or get directly logged in. If you are prompted for the ssh password or get an error message, retry the above command using -v in order to turn verbose mode on and to be able to track down and correct the problem.

If everything is OK, you should disable password authentication for secirty reasons.
To disable password authentication on the remote host you need to uncomment or add

PasswordAuthentication no
UsePAM no

then restart sshd service.