How To Set Up SSH Keys on CentOS 7
SSH or the Secure Shell Protocol is a protocol used to enable computers and servers to communicate. An important feature of SSH is that it's always encrypted: meaning it can allow two computers to communicate securely over an insecure network.
Here we'll go through setting up SSH keys for a CentOS 7 server. SSH keys are a straightforward and secure method of connecting to logging into your server and are recommended for all users.
Step 1 — Creating a RSA Key Pair
The first step is to create a key pair on the client machine, the one that will make the connection. This is usually your local computer.
This can be done with:
$ ssh-keygen
The default behaviour of ssh-keygen is to create a 2048-bit RSA key pair. For most use cases this is strong enough but you can also create a 4096-bit key by amending the command with the flag -b 4096
After running the command you should see output like the following:
Generating public/private rsa key pair. Enter file in which to save the key (/yourHomePath/.ssh/id_rsa):
You'll need to press ENTER here to save the key pair into the .ssh subdirectory in your home directory. Or you can specify a different path altogether.
If you already have a key in the given location you may see a prompt like the following:
/yourHomePath/.ssh/id_rsa already exists. Overwrite (y/n)?
If you choose to overwrite the old key that will delete it and so the old key will no longer be usable. As such you'll need to be careful when doing this.
You'll then see the following prompt:
Enter passphrase (empty for no passphrase):
Here you can set a passphrase for the key pair. This is recommended for increased security as it prevents unauthorised users from using said key pair.
You should then see:
Your identification has been saved in /yourHomePath/.ssh/id_rsa. Your public key has been saved in /yourHomePath/.ssh/id_rsa.pub. The key fingerprint is: a9:49:2e:2a:5e:33:3e:a9:de:4e:77:11:58:b6:90:26 username@remote_host The key's randomart image is: +--[ RSA 2048]----+ | ..o | | E o= . | | o. o | | .. | | ..S | | o o. | | =o.+. | |. =++.. | |o=++. | +-----------------+
You now have a public private key pair you can use to authenticate connections. We'll next need to copy the private key onto our server.
Step 2 — Copying the Public Key to Your Server
The quickest method of copying your public key to to your server is to use a utility called ssh-copy-id. If you don't have ssh-copy-id available to you there are two other methods that can be used which we will cover later in this article.
Copying your Public Key Using ssh-copy-id
The ssh-copy-id utility is included as standard with many operating systems. As such you may already have it on your local system. However, for this to work you must already have password-based SSH access to your server.
To use the tool you'll only need to specify the remote host you would like to connect to and the user account you have password SSH access to. This is the account your public SSH key will be copied to:
$ ssh-copy-id username@remote_host
When doing this you may get the following message:
The authenticity of host '45.8.225.59 (45.8.225.59)' can't be established. ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe. Are you sure you want to continue connecting (yes/no)? yes
This means your local system doesn't recognise the host you're connecting to. This will happen whenever you first connect to a new host. Type yes and press ENTER to continue.
The tool will now scan your local account for the id_rsa.pub key we created. Once it has found the key it will ask you for the password for the remote user's account:
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys username@45.8.225.59's password:
Enter the password and press ENTER. ssh-copy-id will then connect to the account on the other server and copy the contents ~/.ssh/id_rsa.pub into your remote account's ~/.ssh/authorized_keys file.
You should then see the following:
Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'username@45.8.225.59'" and check to make sure that only the key(s) you wanted were added.
Your id_rsa.pub key should now have been uploaded to the the account on your remote server. You can continue on to Step 3.
Copying the Public Key Using SSH
If you don't have ssh-copy-id available but you do have password-based SSH access to the remote server; you can upload your keys using a more conventional method.
We can do this using the cat command to read the contents of our public SSH key on our local system and piping that through an SSH connection to the remote server
On the other server we also need to make sure that the ~/.ssh directory exists and that it has the correct permissions under the account we're using.
We can then output the content we piped-over key into a file called authorized_keys within this directory. We'll use the >> command to amend the content to the file without overriding existing content. This will avoid removing any previously added keys.
The full command then looks like so:
$ cat ~/.ssh/id_rsa.pub | ssh username@remote_host "mkdir -p ~/.ssh && touch ~/.ssh/authorized_keys && chmod -R go= ~/.ssh && cat >> ~/.ssh/authorized_keys"
When doing this you may get the following message:
The authenticity of host '45.8.225.59 (45.8.225.59)' can't be established. ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe. Are you sure you want to continue connecting (yes/no)? yes
This means your local system doesn't recognise the host you're connecting to. This will happen whenever you first connect to a new host. Type yes and press ENTER to continue.
You should then be asked for the remote users password:
username@45.8.225.59's password:
After entering your password the contents of your d_rsa.pub key will be copied to the end of the authorized_keys file of the remote user’s account. You can now continue to Step 3 if this was successful.
Copying the Public Key Manually
If you do not have password based SSH access to your server you may have to complete the process manually.
We'll now go through manually amending the content of your id_rsa.pub file to the ~/.ssh/authorized_keys file on your remote server.
To see the contents of your id_rsa.pub key you can type this into your local computer:
$ cat ~/.ssh/id_rsa.pub
You will see the keys content which should look similar to this:
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuU1IPiy3Jrtylyx6sB0ZkfgxphvYCqzJmOJ7p0zTyg9VEPK7C1B8zhT8c3pGlhckDoZPqlvOOgFXlTaG9YfQlvhCuEPkK7OreGvrK/f1Gf7fC6RjcN+ukUa3YPPWEb4PUmA8lSSKSLzFCbXzI7rRDgsbhJJt857vAvFCjVoF8gPOPuj7wytYXgewuXeLtNC0WTKTKDxUT+Jps5lfwQfWS3slju2565ENRr5IuriinKa5hzzcKPGYmA9PFMlYqN2GQyVq4bsvc+/oBXnMK2UMN/wL3HuheJuVN9esY6tlFE5eXvxeVEWnAgowDYv8HHO2sLMLX9CAKLh7TB1WVh5/Uw== admin@example.server
Now log in to your remote server using whatever method you have available to you.
Once in, you should make sure that the ~/.shh directory exists. If not, you can create the directory with the following command. If the directory does already exist, this won't do anything:
$ mkdir -p ~/.ssh
Now you can create or update the authorized_keys file in this directory. You'll need to add the content of your id_rsa.pub to the end of the authorized_keys file, creating it if needed, using the command:
$ echo publicKeyString >> ~/.ssh/authorized_keys
In the above command the publicKeyString is the output from the command cat ~/.ssh/id_rsa.pub we ran before.
Lastly we'll need to ensure that the ~/.ssh directory and authorized_keys file have the correct permissions set:
$ chmod -R go= ~/.ssh
This command will recursively remove all group and other permissions for the ~/.ssh directory.
If you're using the root account to set up the keys for a user account then it's also important you make sure that the ~/.ssh directory belongs to the intended user and not to the root user:
$ chown -R admin:admin ~/.ssh
In this example our user is named admin but you should substitute that with the name of the appropriate user when running the above command.
We should now be able to connect to our server using key-based authentication.
Step 3 — Logging In to Your Server Using SSH Keys
If you have completed one of the above procedures you should now be able to log into your remote server without the need remote user account's password.
The process begins the same as with password-based authentication:
$ chown -R admin:admin ~/.ssh
When doing this you may get the following message:
The authenticity of host '45.8.225.59 (45.8.225.59)' can't be established. ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe. Are you sure you want to continue connecting (yes/no)? yes
This means your local system doesn't recognise the host you're connecting-to. This will happen whenever you first connect to a new host. Type yes and press ENTER to continue.
If you did not set a passphrase for the key pair earlier then you will be logged in straight away. If you did set a passphrase then you should be asked to enter it now. After doing so a new shell session should open for you with the configured account on the server.
If the key-based authentication worked then you can continue with the next step to learn how to further secure your system by turning off your server's SSH password based-authentication.
Step 4 — Disabling Password Authentication on your Server
If you've been able to log in to your server using SSH without a password (with the expectation of any passphrase set for the key pair), you have successfully set up key based authentication for your remote account. However, the password-based authentication is still active - so the server is still vulnerable to brute-force attacks.
Before you continue with this step please make sure you have either SSH-key-based authentication configured for the root account on this server, or preferably, that you have SSH-key-based authentication configured for a non-root account on this server with sudo privileges. To see how to create a non-root user, please see this article: Initial Server Setup with CentOS 7.
This step will disable password-based authentication to the server, so making sure you will continue to have administrative access is critical.
Now you've confirmed that your remote access has administrative privileges you can login to your remote server with the SSH keys we've just set up, as either root or with an account that has sudo privileges. Then open the SSH daemon’s config file:
$ sudo vi /etc/ssh/sshd_config
Once inside the file you'll want to search for a directive called PasswordAuthentication. This maybe commented out using a hash #. If you then press i to put vi into INSERT mode, you can uncomment the line by deleting the # and setting the value to no. This will disable password-based authentication for the SSH access to the server:
... PasswordAuthentication no ...
Once you have made the change you'll need to hit ESC, then type :wq and hit ENTER to write the changes to the file and quit out of it.
Then to actually implement the changes to the server you'll need to restart the sshd service:
$ sudo systemctl restart sshd
Then, as good practice you should open up a new terminal window and test the SSH service is functioning correctly before closing the current session:
$ ssh username@remote_host
Once you have confirmed that the SSH service is still working as expected, you can safely close all current server sessions.
The SSH daemon on your server now only allows the use of SSH keys. Password-based authentication has been disabled.
You should now have SSH-key-based authentication configured on your server, allowing you to sign in without needing an account password.