Introduction
In this lab, you will learn how to configure and use SSH public key authentication to securely connect to a remote Linux server. This method enhances security and convenience by replacing traditional password-based logins with a cryptographic key pair. You will create a private key, which remains secret on your local machine, and a public key, which is placed on the server to authorize your access.
The process involves three main steps. First, you will use the ssh-keygen command to generate a new RSA key pair for a demonstration user, adding an extra layer of security with a passphrase. Next, you will securely copy the public key to the remote server's authorized keys file using the ssh-copy-id utility. Finally, you will test the configuration by logging into the server via SSH, which will now use your key pair for authentication instead of a password.
Create a Demonstration User and Generate an RSA Key Pair
In this step, you will first create a dedicated user account for demonstrating SSH public key authentication, then generate an RSA cryptographic key pair. This approach ensures we have a clean environment for the demonstration without affecting existing user configurations.
Create the Demonstration User
First, let's create a new user named sshuser that will be used for our SSH demonstration:
sudo adduser sshuser
You will be prompted to set a password and provide user information. For this lab, use password123 as the password. You can press Enter to skip the optional fields (Full Name, Room Number, etc.).
Adding user `sshuser' ...
Adding new group `sshuser' (1001) ...
Adding new user `sshuser' (1001) with group `sshuser' ...
Creating home directory `/home/sshuser' ...
Copying files from `/etc/skel' ...
New password:
Retype new password:
passwd: password updated successfully
Changing the user information for sshuser
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] Y
Generate the RSA Key Pair
Now, let's switch to the sshuser account to generate the key pair. This ensures the keys are created in the correct user's home directory:
sudo su - sshuser
You are now operating as the sshuser. Generate an RSA key pair using the ssh-keygen command. The -t flag specifies the type of key to create, which in this case is rsa.
ssh-keygen -t rsa
After running the command, you will be prompted for a location to save the keys. The default location is ~/.ssh/id_rsa, which is inside a hidden directory named .ssh in the user's home directory. Press Enter to accept this default location.
Generating public/private rsa key pair.
Enter file in which to save the key (/home/sshuser/.ssh/id_rsa):
Next, you will be asked to enter a passphrase. A passphrase adds an extra layer of security to your private key. For this lab, let's use sshkey-password as the passphrase. You will need to enter it twice.
Note: When you type the passphrase, you will not see any characters on the screen. This is a standard security feature.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/sshuser/.ssh/id_rsa
Your public key has been saved in /home/sshuser/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:<FINGERPRINT_STRING> sshuser@ubuntu
The key's randomart image is:
+---[RSA 3072]----+
| .. . .o.. |
| . . . o.. |
| . . = . . |
| . B o . |
| S= * . |
| o*B o . |
| .oO=B . . |
| .o+*+oE. . |
| .o*o=o.o. |
+----[SHA256]-----+
Now that the keys are generated, you can verify that the files were created correctly. Use the ls -l command to list the contents of the ~/.ssh directory:
ls -l ~/.ssh
You should see an output similar to the following, showing your new key files:
total 8
-rw------- 1 sshuser sshuser 2610 Jun 30 10:30 id_rsa
-rw-r--r-- 1 sshuser sshuser 575 Jun 30 10:30 id_rsa.pub
Notice the file permissions. The private key id_rsa has read/write permissions only for the owner, while the public key id_rsa.pub can be read by others. It is critical to protect your private key and never share it.
Copy the Public Key to the Server using ssh-copy-id
In this step, you will copy the public key you generated in the previous step to the SSH server. This action authorizes the key, allowing you to log in using the corresponding private key instead of a password. The ssh-copy-id utility is a script that simplifies this process by installing your key in the correct location on the server.
For this lab, we will simulate a client-server interaction on a single machine. The sshuser account will act as both the client and the target account for the SSH connection.
Make sure you are still operating as the sshuser account. If you've returned to the labex user, switch back:
sudo su - sshuser
Now you are ready to copy the public key. The ssh-copy-id command takes the remote user and host as an argument. We will use sshuser@localhost to specify the user sshuser on the local machine (acting as the server).
Execute the command:
ssh-copy-id sshuser@localhost
Since this is the first time connecting to localhost via SSH, you'll be asked to verify the host authenticity. Type yes to continue:
The authenticity of host 'localhost (::1)' can't be established.
ED25519 key fingerprint is SHA256:<FINGERPRINT_STRING>.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
The utility will then scan for your id_rsa.pub key and prompt you for the password for the sshuser account. Enter the password password123 that you set when creating the user.
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
sshuser@localhost's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'sshuser@localhost'"
and check to make sure that only the key(s) you wanted were added.
The output confirms that one key was successfully added. The ssh-copy-id command automatically creates the ~/.ssh directory on the server if it doesn't exist and appends your public key to the ~/.ssh/authorized_keys file.
To confirm this, you can view the contents of the authorized_keys file. It should contain the exact same key as your id_rsa.pub file.
cat ~/.ssh/authorized_keys
The output will be a long string of characters, which is your public key.
ssh-rsa AAAA...[long key string]...== sshuser@ubuntu
Test the SSH Login with Public Key Authentication
In this final step, you will test the new configuration to ensure that public key authentication is working correctly. You will attempt to log in to the SSH server using the key pair you created. Instead of being prompted for your user password, you should be prompted for the passphrase you set for your private key.
Make sure you are still operating as the sshuser account:
whoami
You should see sshuser as the output. If not, switch back to the sshuser account:
sudo su - sshuser
Now, let's initiate an SSH connection to localhost. Since you've already connected once during the key copy process, the host key should already be accepted.
Execute the following command to connect:
ssh sshuser@localhost
You will be prompted to enter the passphrase for your private key. This is the passphrase you created in Step 1 (sshkey-password).
Enter passphrase for key '/home/sshuser/.ssh/id_rsa':
Enter your passphrase, sshkey-password, and press Enter. If you entered it correctly, you will be logged into the server and see a welcome message.
Welcome to Ubuntu 22.04.x LTS (GNU/Linux x.x.x-xx-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
Last login: Mon Jun 30 10:45:23 2024 from ::1
sshuser@ubuntu:~$
Congratulations! You have successfully logged in using public key authentication. You are now in a new SSH session. Notice that you were not prompted for the user account password (password123), only for the key passphrase.
To verify that you're in a new SSH session, you can check the environment:
echo $SSH_CONNECTION
This should show connection details, confirming you're in an SSH session.
To close the SSH session and return to your original terminal, simply type exit and press Enter.
exit
You will see a message confirming that the connection has been closed.
logout
Connection to localhost closed.
Finally, you can exit from the sshuser account to return to the labex user:
exit
You have now successfully configured and tested SSH public key authentication using a dedicated demonstration user.
Summary
In this lab, you learned how to configure and use SSH public key authentication to establish a secure, passwordless connection to a remote Linux server. You started by creating a dedicated demonstration user (sshuser) to ensure a clean environment for the key-based authentication setup. Then you generated a new RSA key pair using the ssh-keygen command. This process created a private key, which remains secure and is protected by a passphrase for an extra layer of security, and a corresponding public key.
Subsequently, you used the ssh-copy-id utility to securely transfer the public key to the server's authorized keys file. This command automatically appended the key to the ~/.ssh/authorized_keys file, authorizing the key pair for access. The final step involved testing the connection by initiating an SSH session to the server, which successfully authenticated using the private key's passphrase instead of the user account's password, confirming that the public key authentication was working correctly.
