SSH Public Key Authentication - Server Configuration

Public key authentication is a technique we use internally to allow SSH access between web hosting and dedicated server machines without requiring us to use a password in order to log into each machine.

Typically speaking, this method is more secure than using a standard username / password method of authentication, and also eliminates SSH sentry problems. For both these reasons we encourage all customers to use this method of authentication when connecting via SSH. To learn more, you can read our article on Securing Remote access via SSH and Server Security

Setting up

On the machine that you will be connecting from, generate your private / public key pair using the following:

ssh-keygen -t rsa -b 2048

This will ask a number of questions, the defaults are generally fine. A passphrase is optional but recommended, as if someone somehow gets hold of your private key then they will be able to log into any machines unchallenged. Using a passphrase will prompt for this to be typed in whilst a secure connection is being established.

This will generate two files:

  • id_rsa - private key, this should never be divulged to anyone.

  • id_rsa.pub - pubic key, this needs to find it's way onto the remote server for this to work.

In order to complete this process, your public key needs to end up in ~/.ssh/authorized_keys . Assuming the .ssh directory exists and there are no other keys present on the server, the following command can be used to copy it across:

scp .ssh/id_rsa.pub user@host:.ssh/authorized_keys

Gotchas

  • The most common problems with public_key authentication is having incorrect permissions set.
    • The private key should ONLY be accessible to the user account. Eg: chmod 600 id_rsa

    • The public key should only be written to by user. Eg: chmod 604 id_rsa.pub

Client-side key management

To avoid the pain of typing in your ssh-key keyphrase over and over (and over) again, use one of the following guides: