How to set up SSH keys on CentOS 8

Secure Shell (SSH) is a cryptographic networking protocol designed for secure communication between a client and a server.

The two most popular SSH authentication mechanisms are password based authentication and public key authentication. Using SSH keys is generally more secure and convenient than traditional password authentication.

This article describes how to generate SSH keys on CentOS 8 systems. We will also show you how to set up SSH key based authentication and connect to remote Linux servers without entering a password.

Generating SSH Keys on CentOS

Most likely, you already have an SSH key pair on your CentOS client machine. If you generate a new key pair, the old one will be overwritten.

Run the ls command to check if the key files exist:

ls -l ~/.ssh/id_*.pub

If the command output returns something like No such file or directory, or no matches found, then that means the user does not have SSH keys and you can proceed to the next step and generate an SSH key pair.

Otherwise, if you have an SSH key pair, you can use them, or back up the old keys and generate new ones.

Generate a new 4096 bit SSH key pair with your email address as a comment by entering the following command:

ssh-keygen -t rsa -b 4096 -C "[email protected]"

You will be prompted for a filename:

Enter file in which to save the key (/home/yourusername/.ssh/id_rsa):

Press Enter to accept the default file location and file name.

Next, you will be prompted for a secure passphrase. Whether you want to use a passphrase is up to you. The passphrase will add an extra layer of security. If you don’t want to use a password, just press Enter.

Enter passphrase (empty for no passphrase):

All interaction looks like this:

To verify that your new SSH key pair has been generated, enter:

ls ~/.ssh/id_*

/home/yourusername/.ssh/id_rsa /home/yourusername/.ssh/id_rsa.pub

Copy the public key to the server

Now that the SSH key pair is generated, the next step is to copy the public key to the server you want to manage.

The easiest and most recommended way to copy the public key to a remote server and use the ssh-copy-id utility. On your local computer, the terminal type is:

ssh-copy-id [email protected]_ip_address

The command will ask you for the remote_username password:

[email protected]_ip_address's password:

After authenticating the user, the contents of the public key file (~ / .ssh / id_rsa.pub) will be appended to the remote user’s ~ / .ssh / authorized_keys file and the connection will be closed.

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '[email protected]_ip_address'"
and check to make sure that only the key(s) you wanted were added.

If ssh-copy-id is not available on your local machine, use the following command to copy the public key:

cat ~/.ssh/id_rsa.pub | ssh [email protected]_ip_address "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"

Login to your server using SSH keys

After following the steps above, you will be able to log into the remote server without prompting for a password.

To test this, try logging into your server via SSH:

ssh [email protected]_ip_address

If you have not set a passphrase for the private key, you will be immediately signed in. Otherwise, you will be prompted for a passphrase.

Disable SSH Password Authentication

To add an extra layer of security to the remote server, you can disable SSH password authentication.

Before proceeding, make sure you can log into your server without a password as a user with sudo privileges.

To disable SSH password authentication, follow these steps:

  1. Login to your remote server:
    ssh [email protected]_ip_address
  2. Open the SSH configuration file / etc / ssh / sshd_config with a text editor:
    sudo nano /etc/ssh/sshd_config
  3. Find the following directives and change them as follows: / etc / ssh / sshd_config
    PasswordAuthentication no
    ChallengeResponseAuthentication no
    UsePAM no
  4. When you’re done, save the file and restart the SSH service by typing:
    sudo systemctl restart ssh

At this point, password-based authentication is disabled.

Output

We showed you how to generate a new SSH key pair and set up SSH key based authentication. You can use the same key to manage multiple remote servers. You also learned how to disable SSH password authentication and add an extra layer of security to your server.

By default, SSH listens on port 22. Changing the default SSH port reduces the risk of automated attacks. To simplify your workflow, use an SSH config file to define all of your SSH connections.

If you have any questions or feedback, do not hesitate to leave comments.

Sidebar