Lolik

not404

nothing
x
bilibili
github
telegram
steam
follow

How to use public and private keys to log in to a Linux server

1. Why Use Public and Private Key Login#

  1. Higher Security
  • Password Complexity Issues: Password login usually requires users to remember complex passwords, but many people choose simple passwords for convenience, which are easy to crack. Public and private key login uses asymmetric encryption technology, where the private key is typically long (e.g., 4096 bits), making it extremely difficult to crack. (SSH services exposing port 22 on the public network receive a large number of brute-force login requests daily; I check the logs and see thousands of attempts every day.)
  • Preventing Man-in-the-Middle Attacks: The public and private key authentication mechanism can effectively prevent man-in-the-middle attacks during the encryption process. Even if an attacker intercepts the communication content, they cannot obtain the private key or decrypt the data.
  • No Password Leakage Risk: In the public and private key login process, the private key is always stored locally and is not transmitted over the network like password logins, thus eliminating the risk of password interception during transmission.
  1. More Convenient Login
  • No Need to Manually Enter Passwords: Once public and private key login is configured, users can quickly log in to the server without manually entering passwords, significantly improving work efficiency, especially suitable for frequent server logins.
  • Supports Multiple Servers: The same public key can be added to multiple servers, allowing the use of the same key pair to log in to multiple servers, simplifying the login process. (However, if the private key file is lost or leaked, it can cause a chain reaction.)
  • Automated Operations: Public and private key login supports passwordless login, facilitating automated script operations (using the Python Fabric library for automatic deployment), such as executing remote commands and file transfers via SSH.
  1. Strong Scalability
  • Easy to Manage: Public keys can be easily distributed to multiple servers, while the private key only needs to be securely stored locally. If there is a need to change keys, simply regenerate the key pair and upload the new public key to the server.

2. Generating Key Pairs#

To use public and private key login to the server, you first need to generate a key pair, which can be done on the local computer using the ssh-keygen command.

  1. The ssh-keygen command requires the OpenSSH client to be installed.

For example, on Windows 11, search for OpenSSH in Settings > System > Optional Features to install the client, and use powershell to check if it is installed.

> gcm ssh-keygen

CommandType     Name                 Version    Source
-----------     ----                 -------    ------
Application     ssh-keygen.exe       9.5.3.1    C:\Windows\System32\OpenSSH\ssh-keygen.exe
  1. Command to generate the key pair:
ssh-keygen -t rsa -b 4096
  • -t rsa: Specifies the key type as RSA.
  • -b 4096: Specifies the key length as 4096 bits; a higher key length means stronger security.

After pressing Enter, you will be prompted to enter the file path to save the key and an optional password; simply press Enter to skip if no password is needed.

By default, the keys will be saved in ~/.ssh/id_rsa (private key) and ~/.ssh/id_rsa.pub (public key), typically located at C:\Users\<username>\.ssh on Windows. For example, in my case:

24123@lolik ~\.ssh
> ls
    Directory: C:\Users\24123\.ssh
Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
-a----         2025/2/19     10:03            210 config
-a----          2024/6/7     14:43           3381 id_rsa
-a----          2024/6/7     14:43            738 id_rsa.pub
-a----         2025/2/19      9:57           5828 known_hosts
-a----         2025/2/19      9:52           5080 known_hosts.old

The known_hosts file may contain the public keys of previously connected servers, and my config file was created by VS Code to save remote connection information, including aliases and hostnames.

  1. Simplifying Connection Operations

In the above config file (you can create one if it doesn't exist), for example:

# Read more about SSH config files: https://linux.die.net/man/5/ssh_config
  Host winserverA
    HostName 1.1.1.1
    User administrator
    IdentityFile ~/.ssh/id_rsa

  Host serverB
    HostName 1.1.1.1
    User root
    IdentityFile ~/.ssh/id_rsa
  • Host: Sets an alias for the server for easier recall.

  • HostName: The IP address of the server.

  • User: The username for the server.

  • IdentityFile: The path to the private key file.

    The IdentityFile seems to default to ~/.ssh/id_rsa.

    Because I can log in directly using the ssh alias or ssh username@ip command without specifying -i ~/.ssh/id_rsa.

3. Uploading the Public Key to the Server#

  1. Copy the public key content to the clipboard.
cat ~/.ssh/id_rsa.pub

Select the output content to copy.

  1. Log in to the server using a password or other means.

    On the server, create the .ssh directory in the home directory ~ (if it doesn't exist) and change permissions.

    mkdir -p ~/.ssh
    chmod 700 ~/.ssh
    

    Use vi or vim to create ~/.ssh/authorized_keys.

    vim ~/.ssh/authorized_keys
    

    Paste the public key and save.

  2. Modify the server's SSH configuration.

    Edit the /etc/ssh/sshd_config file.

    vim /etc/ssh/sshd_config
    
    • PubkeyAuthentication yes
    • AuthorizedKeysFile .ssh/authorized_keys

    Allow public key authentication and specify the public key file.

    • Set PermitRootLogin to prohibit-password or without-password to disable password login for the root user, allowing only public key login.
  3. Restart the sshd service to apply the configuration (you can also use the old command service).

    sudo systemctl sshd restart
    
  4. Test the login.

    For example, enter in the local computer terminal, where server_ip is the server's IP (if you configured an alias in the config above, you can also log in using the alias).

    ssh root@server_ip          
    

    If this is the first login from the local machine, a warning will be displayed; simply type yes to proceed.

    If all goes well, you will log in directly to the server, which is quite convenient.

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.