Read in 4 minutes
last updated
How to Set Up SSH Keys on CentOS 7
Secure Shell (SSH) is a cryptographic network protocol designed for secure connection between a client and a server.
The two most popular SSH authentication mechanisms are passwords based authentication and public key based authentication. Using SSH keys is generally more secure and convenient than traditional password authentication.
This tutorial explains how to generate SSH keys on CentOS 7 systems. We will also show you how to setup an SSH key-based authentication and connect to your remote Linux servers without entering a password.
Creating SSH keys on CentOS
Before generating a new SSH key pair, it is a good idea to check for existing SSH keys on your CentOS client machine.
To do so, run the following command that will list all public keys if there are any:
ls -l ~/.ssh/id_*.pubIf the output of the command returns something like No such file or directory or no matches found it means that you don’t have SSH keys on your client machine and you can proceed with the next step and generate SSH key pair.
If there are existing keys, you can either use those and skip the next step or backup up the old keys and generate new ones.
Start by generating a new 4096 bits SSH key pair with your email address as a comment:
ssh-keygen -t rsa -b 4096 -C "[email protected]"You will be prompted to specify the file name. :
Enter file in which to save the key (/home/yourusername/.ssh/id_rsa):Press Enter to accept the default file location and file name.
Next, you’ll be asked to type a secure passphrase. Whether you want to use passphrase its up to you. If you choose to use passphrase you will get an extra layer of security.
Enter passphrase (empty for no passphrase):If you don’t want to use passphrase just press Enter
The whole interaction looks like this:
To verify your new SSH key pair is generated, type:
ls ~/.ssh/id_*/home/yourusername/.ssh/id_rsa /home/yourusername/.ssh/id_rsa.pubCopy the Public Key to CentOS Server
Now that the SSH key pair is generated, the next step is to copy the public key to the server you want to manage.
The easiest and the recommended way to copy the public key to the remote server is by using an utility called ssh-copy-id. On your local machine terminal type:
ssh-copy-id [email protected]_ip_addressYou will be prompted to enter the remoteusername password:
[email protected]_ip_address's password:Type the password and once the user is authenticated, the public key ~/.ssh/id_rsa.pub will be appended to the remote user ~/.ssh/authorized_keys file and connection will be closed.
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '[email protected]_ip_address'"
and check to make sure that only the key(s) you wanted were added.If the ssh-copy-id utility is not available on your local computer, use the following command to copy the public key:
cat ~/.ssh/id_rsa.pub | ssh [email protected]_ip_address "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"Login to your server using SSH keys
After completing the steps above you should be able login to the remote server without being prompted for a password.
To verify it, try to login to your server via SSH:
ssh [email protected]_ip_addressIf you didn’t setup a passphrase for the private key, you will be logged in immediately. Otherwise you will be prompted to enter the passphrase.
Disabling SSH Password Authentication
To add an additional layer of security to your remote server you can disable SSH password authentication.
Before continuing make sure you can login to your server without a password as a user with sudo privileges.
Follow the steps below to disable SSH password authentication:
Log into your remote server:
ssh [email protected]_ip_addressOpen the SSH configuration file
/etc/ssh/sshd_configwith your text editor:sudo nano /etc/ssh/sshd_configSearch for the following directives and modify as it follows:
/etc/ssh/sshd_configPasswordAuthentication no ChallengeResponseAuthentication no UsePAM noOnce you are done save the file and restart the SSH service by typing:
sudo systemctl restart ssh
At this point, the password based authentication is disabled.
Conclusion
In this tutorial you have learned how to generate a new SSH key pair and setup an SSH key-based authentication. You can add the same key to multiple remote serves.
We have also shown you how to disable SSH password authentication and add an additional layer of security to your server.
If you have any question or feedback feel free to leave a comment.