Configure SSH Key-Based Authentication on an Ubuntu Linux Server

SSH Key-Based Authentication

SSH, or secure shell, is an encrypted protocol used to administer and communicate with servers. SSH is the main access point to your server and one of the most exposed services susceptible to attacks from bad actors. Since the primary method of configuration is via SSH, you will want to harden this protocol. Authentication using a public key is based on digital signatures, and it is more secure and convenient than traditional password authentication. In this guide, we will walk through a straightforward process of implementing SSH key-based authentication.

Disclaimer: If you use a Virtual Private Server (VPS), your provider might offer a section on their web management portal to add SSH keys. You would then simply add the public key that you generate from this guide to that portal, associate the key to a specific server, and reboot. You would then attach the private key to an SSH method mentioned in the below guide.

Prerequisites

1. A physical or virtual server running Ubuntu

2. Safe location to store your private key

3. MobaXterm or PuTTy SSH client

While making changes to your servers, remember to always open a secondary SSH connection. A simple mistake can permanently lock you out. Another connection running concurrently will allow you to flip over and revert your misconfiguration.

Generating SSH Keys

(Method 1) MobaXterm:

Open the client (from your personal computer) and browse to Tools -> MobaXterm SSH Key Generator.

(Method 2) PuTTy:

PuTTy installs a separate application for key generation. From your personal computer Start Menu, search for PuTTygen, and open the application.

Both applications look identical and serve the same purpose, so we can use the same guide. I will use MobaXterm in this example.

You will see a field called Number of bits in a generated key in the lower right corner. The default value of 2048 is sufficient for most use cases, but I'll change mine to 4096.

MobaXterm SSH Key Generator

Click on Generate. You will be asked to Please generate some randomness by moving the mouse over the blank area. Moving your mouse over this blank area while the key generates adds user input which negates any predictability.

Once the public key is generated, it is displayed in the Key block. It is recommended you protect this key by setting a Key passphrase. A passphrase adds an extra layer of security by protecting the private key from unauthorized use. Ideally, this passphrase should be protected by a long, complex, randomly generated string of letters, numbers, and characters. Keep the passphrase in a secure location like an encrypted password manager.

MobaXterm Key Passphrase

Click Save private key and select a secure but easily accessible location on your personal computer or encrypted cloud storage. It is common to use a descriptive name for the .ppk private key file, so it's easily identifiable. Optionally, you may choose Save public key, though this can be regenerated later by selecting Load and importing your saved private key.

MobaXterm Save Private Key

Right-click in the Public key text field and choose Select All. This action will highlight all the text—Right-click again and select Copy. Open your favorite text editor, paste the key, and save it. It is advisable to save the file in the same directory as the private key, using the same name as the private key, only with a .txt or equivalent file extension. This key will now be added to our Linux server.

MobaXterm Select All - Copy Public key

Copy the Public Key to the Server

Establish an SSH connection to your server using your admin credentials.

If your SSH directory does not exist, which likely it does not, create it with the mkdir command and then set the correct permissions:

sudo mkdir -p ~/.ssh
sudo chmod 0700 ~/.ssh

Now we will paste the public key that you copied previously into the authorized_keys file using nano:

sudo nano ~/.ssh/authorized_keys

The entire public key text must be on a single line.

SSH Authorized Keys

Hit Ctrl+X, Y for Yes, and then Enter to confirm the File Name to Write (Save).

Run the following chmod command to ensure only your user can read and write the ~/.ssh/authorized_keys file:

sudo chmod 0600 ~/.ssh/authorized_keys

Now we will change ownership of the .ssh directory using the following command:

sudo chown $USER:$USER ~/.ssh -R

Let's modify the SSH configuration file to include a new authorized_keys location:

sudo nano /etc/ssh/sshd_config

Arrow down until you reach #AuthorizedKeysFile and remove the # so it reads AuthorizedKeysFile. You will now add the following at the end of that line:

%h/.ssh/authorized_keys

Once completed the line should look like the following:

Expected SSH Authorized Key Location

Hit Ctrl+X, Y for Yes, and then Enter to confirm the File Name to Write (Save).

Now restart your SSHD service for the change to take effect:

sudo service ssh restart

Login to the Server using SSH Keys

(Method 1) MobaXterm:

MobaXterm Edit Session

Open the client (from your personal computer), right-click on your User session, and select Edit session.

From the Session settings window, select Advanced SSH settings, place a checkmark for Use private key, and select the file icon to browse to your previously saved .ppk private key file, select it, and Open. Select OK.

MobaXterm Session Settings

After completing the steps above, you can log into your Linux server using SSH key authentication. Initially, you may be prompted to enter your Key passphrase.

SSH Key-Based Authentication

To test it out, open a new MobaXterm SSH session and try to login into the server. MobaXterm will use the loaded key, and you will be logged into the server without entering the password.

(Method 2) PuTTy:

Pageant is a PuTTY SSH authentication agent that holds the private keys in the memory. Pageant is installed alongside PuTTy and can be launched by opening the Start Menu and searching for Pageant.

When you open Pageant, you won't see any windows, but instead, an icon will be placed in the system tray near the system clock. Double-click on that icon and the Pageant window will open.

PuTTy Pageant Key Passphrase

To load a key, press the Add Key button, which will open a new file dialog. Locate the private key file and press Open. If you haven't set a passphrase, the key will be loaded in immediately. Otherwise, you will be prompted to enter the passphrase. Enter the passphrase, and Pageant will load the private key

After completing the steps above, you can log into your Linux server using SSH key authentication. Initially, you may be prompted to enter your Key passphrase.

To test it out, open a new PuTTY SSH session and log in to the remote server. PuTTY will use the loaded key, and you will be logged into the server without entering the password.

Disabling SSH Password Authentication

To add an extra layer of security to your server, you can disable password authentication for SSH.

Before disabling the SSH password authentication make sure you can log in to your server without a password, and the user you are logging in with has sudo privileges.

Log in to the remote server and open the SSH configuration file:

sudo nano /etc/ssh/sshd_config

Search for the following settings and modify them as follows. Be sure to remove the # to activate the setting:

PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no

Hit Ctrl+X, Y for Yes, and then Enter to confirm the File Name to Write (Save).

Once completed, restart the SSH service by typing:

sudo systemctl restart ssh

At this point, the password-based authentication is disabled.

In this tutorial, you have learned how to generate a new SSH key pair and set up an SSH key-based authentication. You can add the same key to multiple Linux servers. We have also shown you how to disable SSH password authentication and add an extra layer of security to your server.

Feel free to comment below with any questions or comments.

If you found this article informative, please support my efforts by donating to my Ethereum ENS address: geekbyte.eth