OpenSSH : SSH Key-Pair Authentication2024/12/19 |
|
Configure SSH server to login with Key-Pair Authentication. |
|
| [1] | Key pairs are created by each user, so the user who creates the key pair log in to any client computer and work as that user. |
|
# create key-pair [cent@client ~]$ ssh-keygen Generating public/private ed25519 key pair. Enter file in which to save the key (/home/cent/.ssh/id_ed25519): # Enter or input changes if you want Enter passphrase for "/home/cent/.ssh/id_ed25519" (empty for no passphrase): # set passphrase (if set no passphrase, Enter with empty) Enter same passphrase again: Your identification has been saved in /home/cent/.ssh/id_ed25519 Your public key has been saved in /home/cent/.ssh/id_ed25519.pub The key fingerprint is: SHA256:SDnILWXo7aKWGF4trcAUabqmjOkesMICFPHrFmotTo0 cent@dlp.srv.world The key's randomart image is: ..... .....[cent@client ~]$ ll ~/.ssh total 16 -rw-------. 1 cent cent 464 Dec 19 12:21 id_ed25519 -rw-r--r--. 1 cent cent 100 Dec 19 12:21 id_ed25519.pub -rw-------. 1 cent cent 846 Dec 19 11:05 known_hosts -rw-r--r--. 1 cent cent 98 Dec 19 11:05 known_hosts.old # copy the SSH public key you created to the server you want to log in to [cent@client ~]$ ssh-copy-id dlp.srv.world
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/cent/.ssh/id_ed25519.pub"
The authenticity of host 'dlp.srv.world (10.0.0.30)' can't be established.
ED25519 key fingerprint is SHA256:J+vZJY0TVtOpQlJ/8u3M7CIqH72jy40/e/ucmxm7Lmg.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
cent@dlp.srv.world's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'dlp.srv.world'"
and check to make sure that only the key(s) you wanted were added.
# verify whether you can log in to the server to which you copied the public key using key authentication [cent@client ~]$ ssh dlp.srv.world hostname
Enter passphrase for key '/home/cent/.ssh/id_ed25519': # if you set a passphrase, enter it
dlp.srv.world
|
| [2] | If you use key pair authentication, you can make your server more secure by disabling password authentication on the SSH server side as follows. |
|
[root@dlp ~]#
vi /etc/ssh/sshd_config # line 65, 69 : uncomment and change to [no] PasswordAuthentication no ..... ..... KbdInteractiveAuthentication no
systemctl restart sshd |
|
SSH Key-Pair Authentication on Windows Client #1
|
|
This is the example to login to SSH server from Windows Client. |
|
| [3] | Run [Puttygen.exe] that is included in [Putty]. (placed in the folder [Putty.exe] is also placed) If not included, Download it from official site (www.chiark.greenend.org.uk/~sgtatham/putty/). After starting [Puttygen.exe], Click [Load] button on the following window. |
|
| [4] | Specify the private key that you transferred from SSH server, then passphrase is required like follows, answer it. (if not set passphrase, this step is skipped) |
|
| [5] | Click [Save private key] button to save it under a folder you like with any file name you like. |
|
| [6] | Start Putty and Open [Connection] - [SSH] - [Auth] - [Credentials] on the left pane, then specify your private key on the [Private key file] field. |
|
| [7] | Back to the [Session] on the left pane and specify your SSH server host to Connect. |
|
| [8] | When SSH key-pair is set, the passphrase if it is set is required to login like follows, then answer it. |
|
|
SSH Key-Pair Authentication on Windows #2
|
| [9] | On Windows 11, OpenSSH Client has been implemented as a Windows feature, so it's possible to authenticate with SSH Key-Pair without Putty and other 3rd party softwares. Transfer your private key to your Windows 11 and put it under the [(logon user home).ssh] folder like follows, then it's ready to use Key-Pair authentication. |
|
Matched Content