In this article, we intend to teach you How To Generate SSH Key Pairs on Rocky Linux 8.
The SSH key pair is used to authenticate the identity of a user or process that wants to access a remote system using the SSH protocol. The public key is used by both the user and the remote server to encrypt messages.
On the remote server side, it is saved in a file that contains a list of all authorized public keys. On the user’s side, it is stored in SSH key management software or in a file on their computer. The private key remains only on the system being used to access the remote server and is used to decrypt messages.
How To Generate SSH Key Pairs on Rocky Linux 8
In this guide, you will learn to set up SSH keys on Rocky Linux 8. SSH keys provide a straightforward, secure method of logging into your server and are recommended for all users.
Now follow the steps below to complete this guide.
Create RSA Key Pair on the Client Machine
The first step is to create a key pair on the client machine (your local computer). To do this, you can use the “ssh-kegen” which creates a 2048-bit RSA key pair.
Note: If you plan to create a larger 4096-bit key, you can use the “-b 4096” flag.
When you enter the above command, you should see the following output:
Generating public/private rsa key pair. Enter file in which to save the key (/your_home/.ssh/id_rsa):
ENTER to save the key pair in the
.ssh/ subdirectory in your home directory, or specify an alternate path.
Then, you will see:
Output Enter passphrase (empty for no passphrase):
It is highly recommended to enter a passphrase to add an additional layer of security to your key pairs on Rocky Linux 8, to prevent unauthorized users from logging in.
When you are done, you will see:
Output Your identification has been saved in /your_home/.ssh/id_rsa. Your public key has been saved in /your_home/.ssh/id_rsa.pub. The key fingerprint is: SHA256:j4Sp/pEaRtlftU3TgsLiF7Jgw2lpdLxhYD6t2AF1nbw The key's randomart image is: +---[RSA 3072]----+ | ..=ooo . | | * *+.+ . . | | &.+o+.o + . | | O X.+E+ + o | | + * S o . . | | . . + = | | + o o . | | o o . | | o.. | +----[SHA256]-----+
At this point, you have a public and private key that you can use to authenticate.
Copy the Public Key To your Rocky Linux Server
The easiest way to copy the public key to your server is to use a utility called “ssh-copy-id“.
ssh-copy-id tool is included by default in many operating systems, so you may have it available on your local system. For this method to work, you must already have password-based SSH access to your server.
To use the utility, you need only specify the remote host that you would like to connect to and the user account that you have password SSH access. This is the account to which your public SSH key will be copied:
You may get the following massage:
Output The authenticity of host '203.0.113.1 (203.0.113.1)' can't be established. ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe. Are you sure you want to continue connecting (yes/no)? yes
This means that your local computer does not recognize the remote host. This will happen the first time you connect to a new host. Type
yes and press
ENTER to continue.
Next, the utility will scan your local account for the
id_rsa.pub key that we created earlier. When it finds the key, it will prompt you for the password of the remote user’s account:
Output /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys email@example.com's password:
After that, you will get the following output:
Output Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'firstname.lastname@example.org'" and check to make sure that only the key(s) you wanted were added.
At this point, your
id_rsa.pub key has been uploaded to the remote account.
Log in to Rocky Linux 8 with SSH Key Pairs
At this point, you should be able to log into the remote host without the remote account’s password:
If you supplied a passphrase you will be prompted to enter it now. After authenticating, a new shell session should open for you with the configured account on the Rocky Linux server.
Disable Password-based Authentication on Rocky Linux 8
If you were able to log in to your account using SSH without a password, you have successfully configured SSH-key-based authentication to your account. However, your password-based authentication mechanism is still active, meaning that your server is still exposed to brute-force attacks.
Before completing the steps in this section, make sure that you either have SSH-key-based authentication configured for the root account on this server, or preferably, that you have SSH-key-based authentication configured for a non-root account on this server with
sudo privileges. This step will lock down password-based logins, so ensuring that you will still be able to get administrative access is crucial.
Once you’ve confirmed that your remote account has administrative privileges, log into your remote server with SSH keys, either as root or with an account with
sudo privileges. Then, open up the SSH daemon’s configuration file:
sudo vi /etc/ssh/sshd_config
Find the line below and set its value to no:
... PasswordAuthentication no ...
When you are done, save and close the file.
This will disable your ability to log in via SSH using account passwords.
Then, restart the SSH service to apply the changes:
sudo systemctl restart sshd
Now test that the SSH service is functioning correctly before closing your current session:
That’s it, you are done.
At this point, you learn to Generate SSH Key Pairs on Rocky Linux 8.
Hope you enjoy it.
You may also be interested in these articles: