Skip to main content

SSH Key Authentication Configuration

··2 mins·
Arch-Linux Ssh
Makoto Morinaga
Author
Makoto Morinaga
A personal notebook for tech notes, coding, and system experiments.
Table of Contents

SSH provides password authentication by default, but for enhanced security, key-based authentication is recommended.

This post explains how to configure SSH key authentication from a Mac client to an Arch Linux server.

Prerequisites
#

Ensure that SSH password authentication is already set up. If not, refer to Basic SSH Configuration.

Generating SSH Keys
#

Create the ~/.ssh Directory on the Client
#

Open a terminal on client PC and verify if the ~/.ssh directory exists:

Terminal 
ls -la

If the directory does not exist, create it and set the appropriate permissions:

Terminal 
mkdir ~/.ssh
chmod 700 ~/.ssh

Generate SSH Key Pair
#

Ed25519 is recommended for security and efficiency. Generate the key pair using:

Terminal 
ssh-keygen -t ed25519

When prompted:

  • Press Enter to accept the default file location (~/.ssh/id_ed25519).
  • Enter a passphrase for added security.

Verify that the generated keys (id_ed25519 (private key) and id_ed25519.pub (public key)) exist:

Terminal 
ls ~/.ssh

Deploying the Public Key to the Server
#

Create the Authorized Keys File on the Server
#

Log in to the server using SSH with password authentication:

Terminal 
ssh -p <PORT> <USER>@<SERVER_IP>

Create the ~/.ssh directory and authorized_keys file if they do not exist:

Terminal 
mkdir ~/.ssh
chmod 700 ~/.ssh
touch ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
exit

Transfer the Public Key
#

Use scp to securely copy the public key from the client to the server:

Terminal 
scp -P <PORT> ~/.ssh/id_ed25519.pub <USER>@<SERVER_IP>:.ssh/

Then, log in to the server and append the public key to authorized_keys:

Terminal 
ssh -p <PORT> <USER>@<SERVER_IP>
cat ~/.ssh/id_ed25519.pub >> ~/.ssh/authorized_keys
rm -rf ~/.ssh/id_ed25519.pub
exit

Verifying SSH Key Authentication
#

Attempt to connect using key authentication:

Terminal 
ssh -p <PORT> <USER>@<SERVER_IP>

Enter the passphrase if prompted.

Disabling Password Authentication
#

Modify the SSH Daemon Configuration
#

Edit the SSH daemon configuration on the server:

Terminal 
sudo vim /etc/ssh/sshd_config

Set the following options:

/etc/ssh/sshd_config 
PasswordAuthentication no
ChallengeResponseAuthentication no

Restart the SSH Service
#

Apply the changes by restarting SSH:

Terminal 
sudo systemctl restart sshd.service

Confirm Password Authentication is Disabled
#

Before logging out of the server, open a new terminal on the client and attempt to SSH without the key:

Terminal 
ssh -p <PORT> <USER>@<SERVER_IP>

If password authentication is disabled correctly, you should see:

Permission denied (publickey).

Then, try logging in with the key authentication by entering the passphrase when prompted.

Appendix
#

To simplify SSH connections, consider configuring an alias in ~/.ssh/config. For details, refer to Managing SSH Connections with ~/.ssh/config.

Related

Basic SSH Configuration
··2 mins
Arch-Linux Ssh
How to install Arch Linux
··3 mins
Arch-Linux
Privacy Policy & Disclaimer
·1 min