Using public and private keys for authentication when connecting remotely to your server, or even between your servers, can greatly simplify and increase the security of your login process. When implemented correctly they provide a secure, fast and easy way for accessing your cloud server.

Preparing your server

To add a SSH-key pair, first create a hidden folder to your user account home directory on your cloud server with

mkdir -p ~/.ssh

Restrict the permissions to just yourself with

chmod 700 ~/.ssh

This creates a location for you to save your authentication keys, but note that since it’s stored in your user home directory, every user that wishes to connect using this method has to repeat these steps.

Using OpenSSH to generate a key pair

Now on your own computer if you are using Linux, or any other OS that has OpenSSH, just generate a new key pair in terminal with

ssh-keygen -t rsa

The key generator will ask for location and file name to which the key is saved to, enter a new name or use the default by pressing enter.

Next you’ll be prompted to create a passphrase for the key. This is a simple password that will protect your key should someone be able to get their hands on it.

With the new key pair generated, you still need to copy the public part of the key pair to your cloud server using the following command

ssh-copy-id -i ~/.ssh/id_rsa.pub <user>@<server>

In the command above replace the <user> and <server> with your username and the server address you wish to use the key authentication on. This also assumes you saved the key pair using the default file name and location, if not just replace the ~/.ssh/id_rsa.pub with yours.

Enter your user account password for that SSH server when prompted.

You can now authenticated to your server using the key pair, but at the moment you would need to enter the passphrase every time you connect. To avoid having to re-enter passphrase at every login, use SSH-Agent to store the keys with

ssh-agent $BASH
ssh-add

Type in your key’s current passphrase when asked. If you saved the public key somewhere other than the default location and name, you’ll have to specify it while adding the key. Afterwards you can connect to your cloud server like usual using the SSH-keys for authentication, and only having to unlock the key by repeating the last 2 steps once after every computer restart.

Using PuTTY to generate a key pair

If you are running Windows and PuTTY for SSH, you can use the built-in key generator from PuTTY to create a new key pair. Open the PuTTY Configuration window and click the Keygen -button at the bottom.

In the Key Generator window, check that the Type of key to generate at the bottom is set to SSH-2 RSA, and then just click the Generate -button to begin.

You’ll notice the progress bar on the key generator won’t advance on its own. You need to keep moving your mouse over the blank area in any manner to help generate randomness for few moments until the progress is complete.

With the keys finished, PuTTY will show the relative information about the pair along with the public key for easier copying.

It’s recommended that you enter a key passphrase in the 2 empty fields just for the added security before continuing. The passphrase will protect your key from unauthorized use should someone be able to copy it.

Next up, click the Save private key -button and store it somewhere safe, generally anywhere in your user directory is fine as long as your PC is password protected. Before closing the keygen, you may want to copy the public key to your clipboard, but you can always copy it later on as well.

Now that you have a new key saved on your computer, you’ll need to import it into the PuTTY key agent. With the PuTTY Configuration window still open, click the Agent -button to open the key manager.

In the Key List press Add Key -button, browse to the location you saved the private key, select it and click Open.

Enter your key passphrase when asked.

This will import the key to your PuTTY client, but you still need to copy the public key over to your server.

Open a new SSH connection to your cloud server if you didn’t have one already running and move to the key directory with

cd ~/.ssh/

Open or create the default file OpenSSH looks for authentication keys with

sudo nano authorized_keys

Or with the following if you don’t have nano installed on your choice of Linux distribution

sudo vi authorized_keys

With the file open in an editor, you can paste the public key into the file by simply right clicking the SSH client window. Make sure the key goes on a single line for OpenSSH to be able to read it.

When you’ve copied the public key over to the authorized keys list, just save the file and exit the editor. You can now test the public key authentication by logging in to your server again. You should not get asked for your password, but instead logged straight in with the key. If it’s not working, check that your private key is unlocked at your SSH Agent and try again.

Turn off password authentication

With SSH-key authentication configured and tested, you should disable password authentication for SSH all together to prevent brute-forcing. When logged in to your cloud server, open the SSH configuration file with

sudo nano /etc/ssh/sshd_config

Or if you don’t have nano installed or prefer using vi instead

sudo vi /etc/ssh/sshd_config

Search for the password authentication setting to disable clear text passwords by changing the parameter to no

PasswordAuthentication no

Check just to be safe that public key authentication is enable

PubkeyAuthentication yes

Then save and exit the editor.

Afterwards just restart the SSH service to apply the changes to the configuration file. On CentOS and other Red Hat based distributions, use the following command

sudo systemctl restart sshd

On Ubuntu and other Debian variants run this command instead

sudo service ssh restart

With that done your cloud server is now an other step further with security. Random malicious attempts to connect to your server will results in authentication rejection, as plain passwords are not allowed, and brute-forcing a RSA-key is practically impossible.

Remember to keep your private key safe, you can use the same key from multiple computers if you wish, or generate new ones on each client connecting to your cloud server for added security. Each user should generate their own key pair and passphrase for easier management and control, in case one of the private keys gets stolen you won’t have to replace them all.