To authenticate with keys on an SSH session, we need a keypair first. This contains a public and a private key part. The public part must be copied to the SSH server, the private part resides on your user homedir.
ssh-keygen -t rsa -b 4096
This will ask you for the destination of the keyfiles. The file with the extension .pub will be the public key part.
Enter file in which to save the key (/home/<user>/.ssh/id_rsa):
You can leave the default (press Enter-key), of type another file name, i.e. my-ssh-key. Without a path it will be stored into the current working directory. Now you should secure your private key with an additional keyphrase, which you have to enter on every access to the key. Type it twice and don't forget it. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in my-ssh-key Your public key has been saved in my-ssh-key.pub The key fingerprint is: SHA256:Kg4elHNG8TwLIYjTfX7yRz7h0dmVHY7FUx5krwwQjEA user@hostname The key's randomart image is: +---[RSA 4096]----+ |.o..+E. o. o++| |+ ...=.. .. .+oo| | . oo+ . . *.= | | o .oo. = o * | | + o .+S+ + o | | . + .. = o . | | o . . . . o | | . + . | | . . | +----[SHA256]-----+
You can move both files into /home/<user>/.ssh/. If the folder doesn’t exist, create it:
mkdir -p ~/.ssh chmod 700 ~/.ssh mv my-ssh-key ~/.ssh/. chmod 600 ~/.ssh/my-ssh-key chmod 644 ~/.ssh/my-ssh-key.pub
The file permission must be set correctly. Now its time to copy the public key part to the SSH server. You need a working user account there, which can bee reached with a password login.
ssh-copy-id -i ~/.ssh/my-ssh-key user@ssh-hostname
This will copy the content of the my-ssh-key.pub into ~/.ssh/authorized_keys on the SSH server. If you don’t have access to the account (because the SSH server prevents password-based login), ask your administrator. If your keybased login doesn’t work, try on client side
ssh -vvv user@ssh-hostname
to see, what’s going on. It tries some private key names, but the name my-ssh-key (see above) will not used. So we have to configure this in a special file named “config” within ~/.ssh.
cd ~/.ssh touch config chmod 644 config
type some SSH parameters into that file.
host <ssh-hostname> Hostname <ssh-hostname> Port 22 IdentityFile ~/.ssh/my-ssh-key ForwardX11 yes
Replace <ssh-hostname> with the correct name. The important part is IdentityFile, which points to your SSH private key part. ForwardX11 is optional and allows a display redirection from the server to the client for X-based applications. Save the file and try it again:
ssh user@ssh-hostname
This should now ask for the passphrase of the correct key my-ssh-key.
Enter passphrase for key '/home/<user>/.ssh/my-ssh-key':