Key-Based Authentication
SSH key-based authentication is a secure alternative to traditional password-based login. It uses a pair of cryptographic keys: a private key, which remains securely on the client machine, and a public key, which is placed on the server.
Generating SSH Keys
To set up key-based authentication, the first step is to generate an SSH key pair. This is done using the ssh-keygen
command. For example, to create a 4096-bit RSA key pair:
$ ssh-keygen -t rsa -b 4096
The command will prompt for a file path to save the keys. By default, the keys are saved in ~/.ssh/id_rsa
(the private key) and ~/.ssh/id_rsa.pub
(the public key).
A passphrase can also be set to add an extra layer of protection to the private key. If a passphrase is used, it will need to be entered each time the key is used, unless managed by an SSH agent.
Copying the Public Key to the Server
Once the key pair is generated, the public key must be copied to the remote server to enable key-based authentication. The ssh-copy-id
command simplifies this process:
$ ssh-copy-id user@remote_host
This command copies the public key to the remote server and appends it to the ~/.ssh/authorized_keys file. After the key is copied, login can occur without requiring a password.
Logging in with Key-Based Authentication
After copying the public key to the server, SSH automatically uses the private key for authentication:
$ ssh user@remote_host
If the server has the corresponding public key in its authorized_keys file, access will be granted without requiring a password.
Best Practices for Managing SSH Keys
Proper management of SSH keys is essential for maintaining security. The following practices are recommended:
Use Strong Keys
Using at least a 4096-bit RSA key or a key based on modern cryptographic algorithms like ed25519 provides stronger security with shorter key lengths.
$ ssh-keygen -t ed25519
Protect Private Keys with Passphrases
Protecting the private key with a passphrase ensures that even if the private key file is compromised, it cannot be used without the passphrase. Passphrases can be set during the key generation process and managed with the ssh-agent
tool to avoid repeated prompts.
Limit Key Access
Access to private keys should be restricted to trusted users. Keys should be stored in a secure location (e.g., ~/.ssh/) and never shared or exposed.
Rotate Keys Regularly
Rotating SSH keys by generating new key pairs and replacing old public keys on the server helps reduce the risk of unauthorized access.
Disable Password Authentication
Once key-based authentication is set up, password authentication can be disabled by modifying the sshd_config file on the server:
PasswordAuthentication no
Disabling password authentication enforces the use of key-based authentication and minimizes the risk of brute-force attacks on passwords.
Key-based authentication provides a secure and efficient method for accessing remote systems. By generating strong keys, protecting private keys with passphrases, and disabling password-based login, SSH connections can be made more secure.