This is the most basic stuff that every college grad student must know. Public key authentication is the most secure way of logging into any server. And it doesn’t require you to remember your password or type it every time you want to login to the server, which actually saves valuable seconds of your time.
This article is going to be all about Logging into your servers using SSH public key authentication.
Table of Contents
Why Use SSH Public Key
There are tons of benefits of using public-key authentication over traditional password-based authentication.
- You don’t have to remember your password every time you have to log in to the system.
- You don’t have to type the long password every time, which saves you time
- You can log in to multiple servers without any extra effort.
- You are always secure.
- Individual accesses can be managed using public keys.
- You don’t have to share the password between developers.
- Multiple people can access the system using the same authentication (useful in some cases).
- Github and Gitlab allow you to save your public key on their servers in order to streamline the login experience.
- And more…
This article is not going to be your guide on generating an SSH key. There are a lot of such articles out there. This article is going to give you a better knowledge about the Public key authentication and why you should always use these instead of a password.
How Does Public Key Authentication Works
Public Key authentication is a genius idea of securing communication between two parties.
It is a cryptography system in which two keys are required for authentication. The entire juice of this authentication system lies in the algorithm by which these two keys are generated.
This was invented in 1976 by Whitfield Diffie and Martin Hellman. For this reason, it is sometimes called Diffie-Hellman encryption. It is also called asymmetric encryption because it uses two keys instead of one key (symmetric encryption).
The two keys required in this authentication are called Public Key and Private Key. These two keys are always generated in pairs and they share a special connection. Let’s understand this special connection.
Server
Symmetric Key (Before Diffie-Hellman) Encryption
Before the idea of public-key encryption, people were relying on symmetric key encryption.
In symmetric encryption, there is only one key. This key is called secret key that is shared between two or multiple intended parties with which they can encrypt and decrypt the messages.
Although the symmetric encryption system is perfectly fine and secure but it suffers a major drawback. The drawback is that the secret key needs to be shared beforehand. Only then the person will be able to encrypt or decrypt the message. And trust me this is a big deal.
In today’s world, there is no easy way to share this key with another person sitting on a different continent.
Sharing key before-hand safely and securely is a big security threat in itself. And in the world war 2 they have already shown that symmetric encryption is not the way to the future.
Therefore, Diffie-Hellman encryption takes precedence over symmetric key encryption. And the entire internet communication is based on the same.
Now let’s see how public-private key encryption works.
Public-Private Key Encryption
In this encryption, mathematical beauty is used to generate two identical keys. These keys are related in a way that the message encrypted using one key (public) can only be decrypted by another key (private).
If you want to understand the mathematics to know how these two keys are generated then please read the following paper:
The public key is the one which is shared with different people and the private key is the one which is kept secure. The private key should not be shared outside.
The special connection that I was talking about is this:
messages encoded using public keys can only be decoded by its related private key.
So if the message is intended to be read by you then it should be encrypted using your public-key. In that way, you will be the only person who can decrypt the message using your private key.
Similarly, whenever you want to login to any server. You give your public key to that server. So whenever you use SSH for logging into that system, it automatically tries to identify and authenticate you using your private-public key pair.
If you want to read more how the code works, then read the following code base of openSSH:
How To Generate Unique Public-Private Key
The first step in the authentication is to generate that unique pair of keys. So, before you proceed further, refer to the following blog (https://serverpilot.io/docs/how-to-use-ssh-public-key-authentication) and set up your public and private key. And then I will show you how can you use your public key to log in to your Github account.
As soon as you set up the keys come back and then we will proceed further and log into the server.
After generating the keys you will find two keys in your ~/.ssh
directory.
- id_rsa (private key)
- id_rsa.pub (public key)
Adding id_rsa.pub Key To Server’s Authorized Keys
Before you can log in to your server using asymmetric authentication, you will need to add your id_rsa.pub
key to the .ssh/authorized_key
file.
And for that, you will have to log in to your server once with your username and password.
And before that first copy your ~/.ssh/id_rsa.pub
in your clipboard by typing below command:
pbcopy < ~/.ssh/id_rsa.pub
Now log in to your server:
ssh username@131.34.15.211
It will ask you to type the password (hidden for security reason). Once you type the password, you will be logged into your server.
Next step is to contact the copied key to the ~/.ssh/authorized_keys
file:
cat >> ~/.ssh/authorized_keys {paste id_rsa.pub key here}
Press control + d
to exit the command.
Logging To Your Server Without Password
Once you have added your public key to the authorized_key file in your server, you can now login without typing your password.
All you need to do is ssh into the server and the rest will be taken care by the ssh utility.
ssh username@131.34.15.211
That is all. You should be able to log into the server.
Next and most important step is to disable password-based login into the system. Although you have added the public key to the server, still your password is enabled and anyone trying to brute force the combination might log into the system.
So, to completely secure your server, the wise thing is to disable the password-based authentication into the system.
Disabling Password-Based Authentication
Log into your server: ssh username@131.34.15.211
.
The configuration for disabling the PasswordAuthentication is kept in the following file: /etc/ssh/sshd_config
Open the file in the editor, use VI editor to open the file by typing following command: vi /etc/ssh/sshd_config
Find the line that says:
PasswordAuthentication yes
If the above line is commented, then uncomment the line and replace yes with no. So, the above line should look like:
PasswordAuthentication no
Now restart the server for it to take effect by typing following command:
service sshd restart
Password access should now be removed from the server.
Conclusion
This article was intended to give you a piece of brief information about the working of Public-Private Key encryption. And how you can use rsa public key to log in to your servers.
Here is a list of topics that we covered in this article:
- Why Use Public-Key Authentication?
- How does public-key authentication works?
- How to generate unique public-private asymmetric keys?
- Adding public key to the server’s authorized_keys file
- Logging to your server without password
- Disabling PasswordAuthentication on your server so that no one login using their passwords.
Let me know how you find this article. Waiting for your response.