Public key authentication is a more secure and convenient way of login in to a remote server compared to the conventional method of using a username and password. With Public key authentication, users generate a key pair that consist of a public key and a private key. The public key is shared with everyone but the private key remains only with the user. An SSH server that wants to allow a user to login will store that users public key in the file
~/.ssh/authorized_keys. To login to an SSH server, the user generates a digital signature using the private key. SSH server can verify whether the signature is valid using the corresponding public key and confirm the identity of the user.
You can setup public key authentication for SSH on Linux in two simple steps.
Generate a key pair using ssh-keygen. You can use RSA or DSA algorithms to generate the keys. (Default is RSA).
ssh-keygen -t rsa
You will be prompted to enter a file name to save the key. Default file name is
~/.ssh/id_rsa for RSA keys and
~/.ssh/id_dsa for keys generated using DSA algorithm.
You will also be prompted to enter a passphrase to protect the private key. If you do not enter a passphrase then anyone that has access to your computer use your private key to login to a SSH server that has the matching public key. Below is an example.
# ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): [Enter] Enter passphrase (empty for no passphrase): [Enter] Enter same passphrase again: [Enter] Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: SHA256:uzaPPHXtmzxrv4p4qHUuPaLLNxfevygM2eb2HORNqtc email@example.com The key's randomart image is: +---[RSA 2048]----+ | | | S o o . | | +.++ = | | .oOoo=.. | | ..=O+@++*E | | *O=O+=*BO+| +----[SHA256]-----+
Copy the public key to remote SSH server using ssh-copy-id
ssh-copy-id is a utility that copies your public key to a remote host. The keys are appended to the remote users
# ssh-copy-id -i ~/.ssh/id_rsa.pub user@remote_host
You will be prompted to enter the password for the user on the remote host.
The setup is now complete and you should be able to SSH to the remote host without being prompted for a password.
# ssh remote_host
If you had set a passphrase when generating the id then you will be prompted to enter that otherwise you will be logged in straight on the remote host.
If you are using Putty to SSH to a remote host from Windows, you can configure public key authentication in four simple steps.
PuTTyGen is a utility to generate public and private keys for SSH. You can find this in the PuTTy installation folder (default install location is
C:\>Program Files (x86)\PuTTY). Double-click puttygen.exe to open the utility.
First select the type of key and the number of bits in the Parameters section at the bottom of the screen and click the Generate Button.
You'll then be prompted to move the mouse on the blank area to create some randomness. The key pair will be generated soon after that.
Once the keys are generated, you can set a passphrase for the key (this is optional but highly recommended) and then click Save public key and Save private key buttons to save the keys.
Copy the public key from under the key section and paste it in the authorized_keys file on the remote SSH host.
Open PuTTy and click on Connection → SSH → Auth
Click Browse and select the Private key file that you saved in Step 2.
Then click on Session and select connection type SSH, enter remote host name and finally click Open.
At the login prompt enter the username to login. You will be prompted to enter the passphrase if you have configured one, otherwise you will be logged in to the remote host without entering a password.