/>
X
Innovation
Why you can trust ZDNET : ZDNET independently tests and researches products to bring you our best recommendations and advice. When you buy through our links, we may earn a commission. Our process

'ZDNET Recommends': What exactly does it mean?

ZDNET's recommendations are based on many hours of testing, research, and comparison shopping. We gather data from the best available sources, including vendor and retailer listings as well as other relevant and independent reviews sites. And we pore over customer reviews to find out what matters to real people who already own and use the products and services we’re assessing.

When you click through from our site to a retailer and buy a product or service, we may earn affiliate commissions. This helps support our work, but does not affect what we cover or how, and it does not affect the price you pay. Neither ZDNET nor the author are compensated for these independent reviews. Indeed, we follow strict guidelines that ensure our editorial content is never influenced by advertisers.

ZDNET's editorial team writes on behalf of you, our reader. Our goal is to deliver the most accurate information and the most knowledgeable advice possible in order to help you make smarter buying decisions on tech gear and a wide array of products and services. Our editors thoroughly review and fact-check every article to ensure that our content meets the highest standards. If we have made an error or published misleading information, we will correct or clarify the article. If you see inaccuracies in our content, please report the mistake via this form.

Close

How to set up SSH key authentication in Linux for more secure logins

Here's how easy it is to add a layer of security to your secure shell logins on Linux.
Written by Jack Wallen, Contributing Writer on
Woman working on laptop with headphones.
Image: Oscar Wong/Getty Images

Secure Shell (SSH) is the de facto standard for gaining access to remote Linux machines. SSH took the place of telnet long ago, to add a much-needed layer of security for remote logins.

That doesn't mean, however, that the default SSH configuration is the best option for those who are a bit more concerned about the security of their systems. Out of the box, SSH works with traditional user and password logins. And even though those logins are far more secure than they were with telnet, you're still typing and sending a password across the internet. 

Should anyone intercept that password, they could access your machines (so long as they also knew your username). 

There's a much better way. Said way is SSH Key Authentication. With Key Authentication, you bypass the username and password authentication, and replace it with a key pair. Why is this important? The primary reason this adds extra security is that the only way to access those servers (when they are configured properly for SSH key authentication) is by having the matching key pair.

Also: How to make SSH even easier to use with config files

Here's how it works:

  1. You generate an SSH key.

  2. You upload the public key to a remote server.

  3. You configure SSH to only allow key authentication.

  4. You log in from a desktop that contains the private key that matches the public key on the server.

Once configured properly, the only way you'll be allowed remote access to the server is if you have the matching private key. Without that key, you cannot gain access. So long as you keep that private key private, all is well.

But how do you pull this off? Let me show you.

Requirements

To set up SSH key authentication, you'll need at least two Linux machines, one you log in to and one you log in from. I'll demonstrate with Pop!_OS as my desktop and Ubuntu Server as my remote server. This should, however, work the same on nearly any Linux distribution. You'll also need a user with sudo privileges. You'll also want to make sure you have the same username on both local and remote machines.

That's it. Let's make some SSH magic.

Also: How to install Ubuntu server in less than 30 minutes

How to set up SSH key authentication in Linux for more secure logins

1. Open the terminal window

On your desktop operating system, open a terminal window.

2. Generate your SSH key pair

At the terminal window, generate your SSH key pair with the command:

ssh-keygen

You'll first be asked where you want to save the key. I suggest saving it to the default location, so just hit Enter when prompted. You'll then be asked to type and verify a password for the key pair. Make sure this password is strong and unique. Do not go with an empty password, as that isn't secure.

Also: Don't use these passwords: These are the 10 logins most regularly found for sale online

3. Copy your new public key to the remote server

Here's where it gets slightly tricky. You need to send the public key to the remote server. For that, you'll need to know the IP address of the server. You can get the IP address of the server by logging into it and running the command ip a. You should see the IP address listed. With that information in hand, go back to the desktop and send the public key to the server with the command:

ssh-copy-id SERVER

Where SERVER is the IP address of the remote server.

You'll be prompted for the password for your user on the remote server. Once you've successfully authenticated, the public key will be copied and SSH key authentication is ready. When you attempt to log into the remote server, you will now be prompted for your SSH key password and not your user password.

How to configure the remote server for SSH key authentication

Now that you have your key copied, log into the remote machine. What we're going to do now is configure the SSH server to only allow connections via SSH. One thing to keep in mind before you do this is once it's configured, only those with SSH key authentication set up on the machine will be allowed access. Because of this, you'll want to make sure you've copied SSH keys from all the desktop machines you'll use to log into the remote server.

Also: How to manage SSH connections on MacOS with Termius

With that out of the way, open the SSH daemon configuration file on the remote server with the command:

sudo nano /etc/ssh/sshd_config

In that file, look for the line:

PasswordAuthentication yes

Change that line to:

PasswordAuthentication no

Save and close the file. Restart SSH with:

sudo systemctl restart sshd

Now, the only way you can successfully remote into that machine is by way of SSH key authentication. Any machine that doesn't have a matching key pair will be denied access.

Congratulations, you've just added another layer of security to your Linux servers. 

Editorial standards

Related

You can do this: The best Linux distros for beginners
Linux Mint 20.2 with Cinnamon

You can do this: The best Linux distros for beginners

How to set up a new Android phone: Do these five things first
It took me about 10 minutes from getting it out of the box to set up this Ulefone Power Armor 18T Android smartphone

How to set up a new Android phone: Do these five things first

How overworked tech pros can make more time for the customer
Portrait of woman examining futuristic looking digital interface technology.

How overworked tech pros can make more time for the customer