1. Why Use Public and Private Key Login#
- Higher Security
- Password Complexity Issues: Password login usually requires users to remember complex passwords, but many people choose simple passwords for convenience, which are easy to crack. Public and private key login uses asymmetric encryption technology, where the private key is typically long (e.g., 4096 bits), making it extremely difficult to crack. (SSH services exposing port 22 on the public network receive a large number of brute-force login requests daily; I check the logs and see thousands of attempts every day.)
- Preventing Man-in-the-Middle Attacks: The public and private key authentication mechanism can effectively prevent man-in-the-middle attacks during the encryption process. Even if an attacker intercepts the communication content, they cannot obtain the private key or decrypt the data.
- No Password Leakage Risk: In the public and private key login process, the private key is always stored locally and is not transmitted over the network like password logins, thus eliminating the risk of password interception during transmission.
- More Convenient Login
- No Need to Manually Enter Passwords: Once public and private key login is configured, users can quickly log in to the server without manually entering passwords, significantly improving work efficiency, especially suitable for frequent server logins.
- Supports Multiple Servers: The same public key can be added to multiple servers, allowing the use of the same key pair to log in to multiple servers, simplifying the login process. (However, if the private key file is lost or leaked, it can cause a chain reaction.)
- Automated Operations: Public and private key login supports passwordless login, facilitating automated script operations (using the Python Fabric library for automatic deployment), such as executing remote commands and file transfers via SSH.
- Strong Scalability
- Easy to Manage: Public keys can be easily distributed to multiple servers, while the private key only needs to be securely stored locally. If there is a need to change keys, simply regenerate the key pair and upload the new public key to the server.
2. Generating Key Pairs#
To use public and private key login to the server, you first need to generate a key pair, which can be done on the local computer using the ssh-keygen command.
- The
ssh-keygencommand requires the OpenSSH client to be installed.
For example, on Windows 11, search for OpenSSH in Settings > System > Optional Features to install the client, and use powershell to check if it is installed.
> gcm ssh-keygen
CommandType Name Version Source
----------- ---- ------- ------
Application ssh-keygen.exe 9.5.3.1 C:\Windows\System32\OpenSSH\ssh-keygen.exe
- Command to generate the key pair:
ssh-keygen -t rsa -b 4096
-t rsa: Specifies the key type as RSA.-b 4096: Specifies the key length as 4096 bits; a higher key length means stronger security.
After pressing Enter, you will be prompted to enter the file path to save the key and an optional password; simply press Enter to skip if no password is needed.
By default, the keys will be saved in ~/.ssh/id_rsa (private key) and ~/.ssh/id_rsa.pub (public key), typically located at C:\Users\<username>\.ssh on Windows. For example, in my case:
24123@lolik ~\.ssh
> ls
Directory: C:\Users\24123\.ssh
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2025/2/19 10:03 210 config
-a---- 2024/6/7 14:43 3381 id_rsa
-a---- 2024/6/7 14:43 738 id_rsa.pub
-a---- 2025/2/19 9:57 5828 known_hosts
-a---- 2025/2/19 9:52 5080 known_hosts.old
The known_hosts file may contain the public keys of previously connected servers, and my config file was created by VS Code to save remote connection information, including aliases and hostnames.
- Simplifying Connection Operations
In the above config file (you can create one if it doesn't exist), for example:
# Read more about SSH config files: https://linux.die.net/man/5/ssh_config
Host winserverA
HostName 1.1.1.1
User administrator
IdentityFile ~/.ssh/id_rsa
Host serverB
HostName 1.1.1.1
User root
IdentityFile ~/.ssh/id_rsa
-
Host: Sets an alias for the server for easier recall. -
HostName: The IP address of the server. -
User: The username for the server. -
IdentityFile: The path to the private key file.The
IdentityFileseems to default to~/.ssh/id_rsa.Because I can log in directly using the
ssh aliasorssh username@ipcommand without specifying-i ~/.ssh/id_rsa.
3. Uploading the Public Key to the Server#
- Copy the public key content to the clipboard.
cat ~/.ssh/id_rsa.pub
Select the output content to copy.
-
Log in to the server using a password or other means.
On the server, create the
.sshdirectory in the home directory~(if it doesn't exist) and change permissions.mkdir -p ~/.ssh chmod 700 ~/.sshUse vi or vim to create
~/.ssh/authorized_keys.vim ~/.ssh/authorized_keysPaste the public key and save.
-
Modify the server's SSH configuration.
Edit the
/etc/ssh/sshd_configfile.vim /etc/ssh/sshd_configPubkeyAuthentication yesAuthorizedKeysFile .ssh/authorized_keys
Allow public key authentication and specify the public key file.
- Set
PermitRootLogintoprohibit-passwordorwithout-passwordto disable password login for the root user, allowing only public key login.
-
Restart the sshd service to apply the configuration (you can also use the old command
service).sudo systemctl sshd restart -
Test the login.
For example, enter in the local computer terminal, where
server_ipis the server's IP (if you configured an alias in the config above, you can also log in using the alias).ssh root@server_ipIf this is the first login from the local machine, a warning will be displayed; simply type yes to proceed.
If all goes well, you will log in directly to the server, which is quite convenient.