Set Up SSH Keys on CentOS 7 - Step by Step Process ?

SSH (Secure Shell) is a encrypted protocol which used to communicate securely between client system and the server. You can perform administrative tasks, connect to your system remotely and access files. It's a very secure way to communicate with server using SSH keys, also convenient way than password authentication.

Here at LinuxAPT, as part of our Server Management Services, we regularly help our Customers to perform related SSH queries.

In this context, we shall look into how to create SSH keys on CentOS 7 system and how to copy it to server using different ways.


How to Create SSH keys on CentOS ?

i. Before proceeding with this configuration procedure, ensure that you are using a user with sudo privileges.

ii. Then start by generating a key pair on client system using below command:

$ ssh-keygen

By default, ssh-keygen will generate 2048-bit RSA key pair.

iii. You also can create larger 4096-bit key by just passing -b 4096 in flag as given below:

$ ssh-keygen -t rsa -b 4096

It will show output as below:

Output
Generating public/private rsa key pair.
Enter file in which to save the key (/home/yourusername/.ssh/id_rsa):

iv. Press the Enter key to save the key pairs at ./ssh directory which is default location or you can specify location as per your choice.

After that, you will be prompted to enter a secure passphrase as below. It's a best practice to set passphrase which will add an extra security layer to your keys. It is compulsory, so you can skip it by just hitting Enter key.

Output
Enter passphrase (empty for no passphrase):

It will generate output as following:

Your identification has been saved in /home/yourusername/.ssh/id_rsa.
Your public key has been saved in /home/yourusername/.ssh/id_rsa.pub.

The key fingerprint is:

SHA256:Vh9pii66/e/md3LLJUuUILZuz37uGg8Yeokkdv7xwCE linuxapt@local.linuxapt
The key's randomart image is:
+---[RSA 4096]----+
|                 |
|             .   |
|          + =    |
|         + * o . |
|      o E = . o  |
|     . B * = .   |
|      . = X o o .|
|     o . +.*o*++ |
|    o....==o*OB. |
+----[SHA256]-----+

Your public and private keys are ready to use for authenticate with your CentOS server.

You also can verify that your files are generated or not by typing:

$ ls ~/.ssh/id_*

It will show output like this:

/home/yourusername/.ssh/id_rsa /home/yourusername/.ssh/id_rsa.pub


How to Copy the Public Key to CentOS Server ?

Here, we will place public key to our CentOS server. It is a fast and simple way to copy public is using ssh-copy-id utility.

i. Execute the below command to do it:

$ ssh-copy-id username@server_ip_address

You will be prompted to enter password for your username:

Output
username@server_ip_address's password:

Once the user authentication is success, the public key will be appended to ~/.ssh/authorized_keys file on remote user and connection will be disconnected:

Output
Number of key(s) added: 1

ii. Now you can try login to your machine with command ssh username@server_ip_address and check that only the key(s) added which you want to add.

If your client system don’t have ssh-copy-id utility installed then you can use following command to copy the public key:

$ cat ~/.ssh/id_rsa.pub | ssh remote_username@server_ip_address "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Make sure that you have password-based SSH access to your server.


How to Login to the Server using SSH Keys ?

Now, you should be able to login to the remote machine without the remote user’s password.

i. Try to connect using SSH command:

$ ssh username@server_ip_address

If you are trying to login first time then it may prompt you as follows.

ii. Type yes and hit Enter key to continue:

Output
The authenticity of host '192.168.43.9 (192.168.43.9)' can't be established.
ECDSA key fingerprint is ed:ed:f4:g9:66:ge:53:48:e1:55:00:fd:6d:d7:22:fe.
Are you sure you want to continue connecting (yes/no)? yes

Now, if you haven't set passphrase for your keys then you will be logged in immediately without asking passphrase. Otherwise you will be asked to enter passphrase. After successful authentication, a new shell session will open your user account on the CentOS server.


How to Disable SSH Password Authentication ?

It will add one more security layer if you disable the password authentication for SSH. Before starting process, make sure that you are able to authenticate to your server without entering password and must have sudo enabled user account.

i. Try to login to your server using ssh:

$ ssh username@server_ip_address

ii. Now edit the SSH configuration file located at /etc/ssh/sshd_config:

$ sudo nano /etc/ssh/sshd_config

Find PasswordAuthentication directive and if line commented out then uncomment the line and set the value to "no" as given below:

PasswordAuthentication no

iii. Save and close the file.

iv. You must need to restart the SSH service using below command:

$ sudo systemctl restart sshd

Now, password-based authentication is disabled on your CentOS server.


[Need assistance in fixing SSH configuration on your Linux System ? We can help you. ]

This article covers how to create a new SSH key pair and set up an SSH key-based authentication. You can set up same key to multiple remote hosts on CentOS system. Also, you will learn how to disable SSH password authentication.

SSH, or secure shell, is an encrypted protocol used to administer and communicate with servers. When working with a CentOS server, chances are, you will spend most of your time in a terminal session connected to your server through SSH.

SSH keys are typically configured in an authorized_keys file in . ssh subdirectory in the user's home directory. Typically a system administrator would first create a key using ssh-keygen and then install it as an authorized key on a server using the ssh-copy-id tool.

The public key should be stored in the ~/. ssh/authorized_keys file on the server.


To Create the RSA Key Pair:

1. Execute the command below to create a key pair on the client machine (usually your computer):

$ ssh-keygen

2. Press ENTER to save the key pair into the .ssh/ subdirectory in your home directory, or specify an alternate path.


Best Practices to improve SSH Key Security:

  • Discover all SSH Keys and Bring Under Active Management.
  • Ensure SSH Keys Are Associated With a Single Individual.
  • Enforce Minimal Levels of User Rights Through PoLP.
  • Stay Attentive to SSH Key Rotation.
  • Eliminate Hardcoded SSH Keys.
  • Audit All Privileged Session Activity.

Related Posts