SSH Keys on CentOS 8

SSH, or secure shell, is an encrypted protocol used to administer and communicate with servers. When working with a CentOS server, chances are you will spend most of your time in a terminal session connected to your server through SSH.

In this guide, we’ll focus on setting up SSH keys for a CentOS 8 server. SSH keys provide a straightforward, secure method of logging into your server and are recommended for all users.

Creating SSH keys on CentOS

The chances are that you already have an SSH key pair on your CentOS client machine. If you are generating a new key pair, the old one will be overwritten.

Run the following ls command to check whether the key files exist:

ls -l ~/.ssh/id_*.pub

If the output of the command returns something like No such file or directory, or no matches found it means that the user does not have SSH keys, and you can proceed with the next step and generate SSH key pair.

Otherwise, if you have an SSH key pair, you can either use those or backup up the old keys and generate new ones.

Generate a new 4096 bits SSH key pair with your email address as a comment by entering the following command:

ssh-keygen -t rsa -b 4096 -C "your_email@domain.com"

You will be prompted to specify the file name:

Enter file in which to save the key (/home/yourusername/.ssh/id_rsa):

Press Enter to accept the default file location and file name.

Next, you’ll be asked to type a secure passphrase. Whether you want to use passphrase, it’s up to you. A passphrase will add an extra layer of security. If you don’t want to use passphrase just press Enter.

Enter passphrase (empty for no passphrase):

The whole interaction looks like this:

generate a new ssh key pair

To verify your new SSH key pair is generated, type:

ls ~/.ssh/id_*
/home/yourusername/.ssh/id_rsa /home/yourusername/.ssh/id_rsa.pub

Copy the Public Key to the Server

Now that the SSH key pair is generated, the next step is to copy the public key to the server you want to manage.

The easiest and the recommended way to copy the public key to the remote server is to use the ssh-copy-id utility. On your local machine terminal type:

ssh-copy-id remote_username@server_ip_address

The command will ask you to enter the remote_username password:

remote_username@server_ip_address's password:

Once the user is authenticated, the content of the public key file (~/.ssh/id_rsa.pub) will be appended to the remote user ~/.ssh/authorized_keys file, and connection will be closed.

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'username@server_ip_address'"
and check to make sure that only the key(s) you wanted were added.

If ssh-copy-id is not available on your local computer, use the following command to copy the public key:

cat ~/.ssh/id_rsa.pub | ssh remote_username@server_ip_address "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"

Login to your server using SSH keys

After completing the steps above, you should be able to log in to the remote server without being prompted for a password.

To verify it, try to login to your server via SSH:

ssh remote_username@server_ip_address

If you haven’t set a passphrase for the private key, you will be logged in immediately. Otherwise, you will be asked to enter the passphrase.

Disabling SSH Password Authentication

To add an additional layer of security to your remote server, you can disable SSH password authentication.

Before continuing, make sure you can log in to your server without a password as a user with sudo privileges.

Follow the steps below to disable SSH password authentication:

  1. Log into your remote server:ssh sudo_user@server_ip_address
  2. Open the SSH configuration file /etc/ssh/sshd_config with your text editor:sudo nano /etc/ssh/sshd_config
  3. Search for the following directives and modify as it follows:/etc/ssh/sshd_configPasswordAuthentication no ChallengeResponseAuthentication no UsePAM noCopy
  4. Once you are done save the file and restart the SSH service by typing:sudo systemctl restart ssh

At this point, the password-based authentication is disabled.

We’ve shown you how to generate a new SSH key pair and set up an SSH key-based authentication. You can use the same key to manage multiple remote servers. You have also learned how to disable SSH password authentication and add an extra layer of security to your server.

 

Leave a Reply