Public key authentication is not only more convenient than entering a password but also far more secure. On any given day your server or machine if SSH is on default port 22 and you have a public IP, it will probably receive at least 1,000 login attempts. These are all automated processes created in order to gain access to a server. They are not after your server, but they are after any server they can get their hands on.
When you generate a public key you are creating a random encrypted password, which is not easily hacked and tied to your particular machine. Only the machine that has the matching private key will be able to gain access.
The steps for generating a public key are rather simple. First generate a private and public key on the local machine, then copy the public key to the host. It’s that simple, but let’s go through all the steps:
1. Generate the public key
Make sure you are logged as the user you want to generate a public key for. To generate the public and private key we are going to use the ssh-keygen command.
[joseph@home ~]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/joseph/.ssh/id_rsa):
Created directory '/home/joseph/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/joseph/.ssh/id_rsa.
Your public key has been saved in /home/joseph/.ssh/id_rsa.pub.
The key fingerprint is:
The key's randomart image is:
+--[ RSA 2048]----+
|E .. + |
| o. |
|. .. . |
| + o . . . S |
| . = . oS... . |
| . . .* . . |
| = .* o . |
| . = .. |
| .. ...oo |
If you notice I passed the argument -t rsa this specifies that I want to use the rsa protocol for generating the key. I also did not enter a password. You may enter a password if you wish. It would defeat the purpose of password less authentication but it will make login more secure.
If you look at your home directory, there is now a .ssh folder. This contains your private and public key.
[joseph@home ~]$ ls -la /home/joseph/.ssh/
drwx------ 2 joseph joseph 4096 Sep 2 22:54 .
drwx------ 5 joseph joseph 4096 Sep 2 22:54 ..
-rw------- 1 joseph joseph 1675 Sep 2 22:54 id_rsa
-rw-r--r-- 1 joseph joseph 399 Sep 2 22:54 id_rsa.pub
id_rsa is your private key and id_rsa.pub your public key.
2. Prepare your host to receive the public key
To copy your public key to your host you need access to it. So of course you need to have a password.
In order to copy over the public key we need to create the .ssh folder on your host. Login as your user and in your home directory create a .ssh folder and chmod it to 700.
[joseph@centos7 ~]$ mkdir $HOME/.ssh
[joseph@centos7 ~]$ chmod 700 $HOME/.ssh
We also need to create the authorized_keys file, this is where we will copy out public key into. This file contains all of the public keys that are authorized to login to this machine.
[joseph@centos7 ~]$ touch $HOME/.ssh/authorized_keys
[joseph@centos7 ~]$ chmod 600 $HOME/.ssh/authorized_keys
3. Copy the public key to your host
Go back to your machine and make sure you are logged in as the user you generated the public and private keys for.
Type in the following to copy over your public key. Replace YOUR_USERNAME with your user and YOUR_HOSTNAME_OR_IP with your host’s hostname or ip. The command will ask you for your password since you haven’t yet added the public key to the host.
[joseph@home ~]$ cat $HOME/.ssh/id_rsa.pub | ssh YOUR_USERNAME@YOUR_HOSTNAME_OR_IP 'cat >> $HOME/.ssh/authorized_keys'
Your public key is now setup on your host. You can now ssh into your host without the need of a password:
[joseph@home ~]$ ssh joseph@centos7
Last login: Tue Sep 2 23:17:06 2014 from 10.0.2.2
4. Optional – Delete your password from the host machine
If you want to be really secure, you can delete your password from the host. This will ensure that only the machine with the private key will have access to this user. Note, that if you ever lose the private key you will lose access to the host.
[joseph@centos7 ~]$ sudo passwd -d joseph
Removing password for user vagrant.