Foreword
This is an updated guide for Ubuntu 12.04. You might want to check out the old guide if you are using an older version of Ubuntu. The old guide was written for Ubuntu 8.04.
This new version is updated with the command “service ssh reload” instead of “/etc/init.d/ssh reload”. And I have also learned of better way to test connecting via ssh without using the key file (-o PubkeyAuthentication=no, for testing purposes).
Ubuntu ssh step by step guide
1. Generate the ssh key pair on your client computer:
ssh-keygen
2. Copy the public key to the server:
scp ~/.ssh/id_rsa.pub user@10.10.10.1:
3. Connect to the server:
ssh user@10.10.10.1
4. Append the public key to authorized_keys and remove the uploaded copy:
cat id_rsa.pub >> ~/.ssh/authorized_keys
rm id_rsa.pub
5. Edit the ssh server configuration to make sure that public key authentication is enabled (it should be enabled by default):
sudo nano /etc/ssh/sshd_config
5.1 These entries must be set to yes:
RSAAuthentication yes
PubkeyAuthentication yes
6. Reload the configuration:
sudo service ssh reload
7. Disconnect from the server:
exit
8. Try connecting without the need to give the password to the ssh-client:
ssh user@10.10.10.1
You might need to give a password now to access your private key file, but you should not need to give the password to the ssh program.
9. Disable password authentication:
sudo nano /etc/ssh/sshd_config
9.1 The following settings should be set to no:
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no
9.2. Reload the configuration:
sudo service ssh reload
10. Test that password authentication really is disabled:
10.1 Disconnect from the server:
exit
10.2 Try to reconnect to the server with key file authentication disabled:
ssh user@10.10.10.1 -o PubkeyAuthentication=no
This should produce a permission denied message: “Permission denied (publickey).”
Done 🙂
Troubleshooting
If you ran into any problems it might help to check out the pointers in the comments of the old guide. I highly value the constructive comments that I have received, as I often learn something new from them.
Copy the public key to the server:
scp ~/.ssh/id_rsa.pub user@10.10.10.1:
Try connecting without the need to give the password to the ssh-client:
ssh user@10.10.10.1
client and server seem to have the same IP address.
Hi Larry,
Thank you for your comment. I’m however not sure that I follow you. All addresses in this guide are to the server. The address of the client is irrelevant.
With ssh-client I refer to the ssh client software, which is used to connect to the server. I hope this clear things up.
Regards,
Lani
It might be worthwhile pointing out that the key length can be chosen with the -b flag to ssh-keygen. I always use 2048-bit keys now with ssh-keygen -b 2048.
Nice tip! Thank you David 🙂
Lani – this is a great tut. Very well done.
You may wish to experiment with ssh-copy-id to append the newly generated key to the “~/.ssh/authorized_keys” on the remote server. The syntax is dead simple and generally saves a few steps. Your final step of “testing” sets your tut apart from most. Thanks for your work and the education you gave me.
example: ssh-copy-id -i someuser@somehost
The command will default to sending ~/.ssh/rsa_id.pub to the host, but you can specify any specific key file as needed.
Regarding David Gillies comment about the -b argument. I’m on Ubuntu 12.04 and ssh-keygen appears to default to 2048. See “man ssh-keygen” “For RSA keys, the minimum size is 768 bits and the default is 2048 bits.”
Thanks again.
Lani – Looking at my previous post it just doesn’t convey how impressed I was with the step by step layout of your tutorial. It was the very best I could find. You have a marvelous attention to detail and a casual, but extremely informative style. Thank you very much for the time and effort you put into this.
Thank you very much Dana for both your comments! I will check out the ssh-copy-id command when I can. Thank you for the tip and taking time to comment 🙂
Thanks. interesting, informative and well organized with minimal clutter.
Very well done, it helped me a lot!
Well, done. Thanks a lot.
I will also check out Dana’s ssh-copy-id command next time, since it was a bit fidling with permission and users when setting it up (.ssh and .ssh/authorized_keys did not exist after adding my user on the server)
I simply created them and everything went fine.
ssh-copy-id it’s easier than scp and less dangerous
check this
http://yourtoolbox.blogspot.com.es/2012/08/ssh-connection-with-no-password.html
Hi Sergio,
Thank you for your comment.
As you can see Dana Byrd already had pointed this out, and it sure looks like a better way of doing it. But I understand that you also wanted to promote your own blog 😉
Regards,
Lani
Here is a one-liner :
# Disable PasswordAuthentication and Force PubkeyAuthentication
mkdir -p .ssh && touch .ssh/authorized_keys && cat id_rsa.pub >> .ssh/authorized_keys && rm id_rsa.pub
sed -i.bak ‘s/^#\{0,1\}\(RSAAuthentication\).*/\1 yes/’ /etc/ssh/sshd_config
sed -i.bak ‘s/^#\{0,1\}\(PubkeyAuthentication\).*/\1 yes/’ /etc/ssh/sshd_config
sed -i.bak ‘s/^#\{0,1\}\(ChallengeResponseAuthentication\).*/\1 no/’ /etc/ssh/sshd_config
sed -i.bak ‘s/^#\{0,1\}\(PasswordAuthentication\).*/\1 no/’ /etc/ssh/sshd_config
sed -i.bak ‘s/^#\{0,1\}\(UsePAM\).*/\1 no/’ /etc/ssh/sshd_config
service ssh reload
ssh-copy-id did it for me (using termux on android to ssh into ubuntu 14.04)