In this post, I want to show how to create a pair of RSA keys for authentication on a Linux server running OpenSSH.
First of all, from the client side, I generate the keys.
ssh-keygen
the previous command generates a pair of keys stored by default in the folder: /home/username/.ssh/id_rsa.
The private key will be called id_rsa, and the associated public key will be called id_rsa.pub.
As the name suggests, id_rsa(private key) is your secret, the file you never share.
The public key is what you share with the world, and it is used to crypt the messages created for you, the only one you can decrypt using your secret private key.
Be careful if you already create a key pair. You will overwrite those with the command, and the process is non-reversible.
You can extend the size of your RSA key with a command like this: ssh-keygen -t rsa -b 13360.
Now it is time to copy your public key to the server.
The command ssh-copy-id is the simplest one to use to reach our purpose.
To use the utility, specify the remote host you want to connect to and the user account to which you have password-based SSH access. This is the account where your public SSH key will be copied.
ssh-copy-id username@remote_host
The utility will connect to the account on the remote host using the password you provided. It will then copy the contents of your ~/.ssh/id_rsa.pub key into a file in the remote account’s home ~/.ssh directory called authorized_keys.
We can connect to the server using the public key if everything is correct.
To do so, use the command:
ssh username@remote_host
The final step is to disable password authentication on the server.
Before, ensure that you either have SSH key-based authentication configured for the root account on this server or, preferably, SSH key-based authentication configured for an account with sudo access.
Modify the file:
sudo nano /etc/ssh/sshd_config
PasswordAuthentication no
Remove the # at the beginning of the line if it is present.
Restart the service to implement the modification
sudo systemctl restart ssh