Generate a ssh key and disable password authentication on the Ubuntu 12.04 (Precise Pangolin) server

Foreword

This is an updated guide for Ubuntu 12.04. You might want to check out the old guide if you are using an older version of Ubuntu. The old guide was written for Ubuntu 8.04.

This new version is updated with the command “service ssh reload” instead of “/etc/init.d/ssh reload”. And I have also learned of better way to test connecting via ssh without using the key file (-o PubkeyAuthentication=no, for testing purposes).

Ubuntu ssh step by step guide

1. Generate the ssh key pair on your client computer:
ssh-keygen

2. Copy the public key to the server:
scp ~/.ssh/id_rsa.pub user@10.10.10.1:

3. Connect to the server:
ssh user@10.10.10.1

4. Append the public key to authorized_keys and remove the uploaded copy:
cat id_rsa.pub >> ~/.ssh/authorized_keys
rm id_rsa.pub

5. Edit the ssh server configuration to make sure that public key authentication is enabled (it should be enabled by default):
sudo nano /etc/ssh/sshd_config

5.1 These entries must be set to yes:
RSAAuthentication yes
PubkeyAuthentication yes

6. Reload the configuration:
sudo service ssh reload

7. Disconnect from the server:
exit

8. Try connecting without the need to give the password to the ssh-client:
ssh user@10.10.10.1

You might need to give a password now to access your private key file, but you should not need to give the password to the ssh program.

9. Disable password authentication:
sudo nano /etc/ssh/sshd_config

9.1 The following settings should be set to no:
ChallengeResponseAuthentication no
PasswordAuthentication no
UsePAM no

9.2. Reload the configuration:
sudo service ssh reload

10. Test that password authentication really is disabled:
10.1 Disconnect from the server:
exit

10.2 Try to reconnect to the server with key file authentication disabled:

ssh user@10.10.10.1 -o PubkeyAuthentication=no

This should produce a permission denied message: “Permission denied (publickey).”

Done 🙂

Troubleshooting

If you ran into any problems it might help to check out the pointers in the comments of the old guide. I highly value the constructive comments that I have received, as I often learn something new from them.

 

Advertisements

14 thoughts on “Generate a ssh key and disable password authentication on the Ubuntu 12.04 (Precise Pangolin) server

    1. lani78 Post author

      Hi Larry,

      Thank you for your comment. I’m however not sure that I follow you. All addresses in this guide are to the server. The address of the client is irrelevant.

      With ssh-client I refer to the ssh client software, which is used to connect to the server. I hope this clear things up.

      Regards,
      Lani

      Reply
  1. Dana Byrd

    Lani – this is a great tut. Very well done.

    You may wish to experiment with ssh-copy-id to append the newly generated key to the “~/.ssh/authorized_keys” on the remote server. The syntax is dead simple and generally saves a few steps. Your final step of “testing” sets your tut apart from most. Thanks for your work and the education you gave me.
    example: ssh-copy-id -i someuser@somehost
    The command will default to sending ~/.ssh/rsa_id.pub to the host, but you can specify any specific key file as needed.

    Regarding David Gillies comment about the -b argument. I’m on Ubuntu 12.04 and ssh-keygen appears to default to 2048. See “man ssh-keygen” “For RSA keys, the minimum size is 768 bits and the default is 2048 bits.”

    Thanks again.

    Reply
    1. Dana Byrd

      Lani – Looking at my previous post it just doesn’t convey how impressed I was with the step by step layout of your tutorial. It was the very best I could find. You have a marvelous attention to detail and a casual, but extremely informative style. Thank you very much for the time and effort you put into this.

      Reply
      1. lani78 Post author

        Thank you very much Dana for both your comments! I will check out the ssh-copy-id command when I can. Thank you for the tip and taking time to comment 🙂

  2. rforge

    Well, done. Thanks a lot.

    I will also check out Dana’s ssh-copy-id command next time, since it was a bit fidling with permission and users when setting it up (.ssh and .ssh/authorized_keys did not exist after adding my user on the server)

    I simply created them and everything went fine.

    Reply
    1. lani78 Post author

      Hi Sergio,

      Thank you for your comment.

      As you can see Dana Byrd already had pointed this out, and it sure looks like a better way of doing it. But I understand that you also wanted to promote your own blog 😉

      Regards,
      Lani

      Reply
  3. qkdreyer

    Here is a one-liner :

    # Disable PasswordAuthentication and Force PubkeyAuthentication
    mkdir -p .ssh && touch .ssh/authorized_keys && cat id_rsa.pub >> .ssh/authorized_keys && rm id_rsa.pub
    sed -i.bak ‘s/^#\{0,1\}\(RSAAuthentication\).*/\1 yes/’ /etc/ssh/sshd_config
    sed -i.bak ‘s/^#\{0,1\}\(PubkeyAuthentication\).*/\1 yes/’ /etc/ssh/sshd_config
    sed -i.bak ‘s/^#\{0,1\}\(ChallengeResponseAuthentication\).*/\1 no/’ /etc/ssh/sshd_config
    sed -i.bak ‘s/^#\{0,1\}\(PasswordAuthentication\).*/\1 no/’ /etc/ssh/sshd_config
    sed -i.bak ‘s/^#\{0,1\}\(UsePAM\).*/\1 no/’ /etc/ssh/sshd_config
    service ssh reload

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s