Professional Documents
Culture Documents
RH124 - ch10s03
RH124 - ch10s03
Objectives
Configure a user account to use key-based authentication to log in to remote systems securely without a password.
To prepare your account, generate a cryptographically related pair of key files. One key is private and held only by you. The second key is your related
public key, which is not secret. The private key acts as your authentication credential, and it must be stored securely. The public key is copied to your
account on servers that you will remotely access, and verifies your use of your private key.
When you log in to your account on a remote server, the remote server uses your public key to encrypt a challenge message and send it to your SSH
client. Your SSH client must then prove that it can decrypt this message, which demonstrates that you have the associated private key. If this
verification succeeds, then your request is trusted, and you are granted access without giving a password.
Passwords can be easily learned or stolen, but securely stored private keys are harder to compromise.
If you cannot restore your local private key, then you lose access to remote servers until you distribute your new public key to replace the
previous public key on each server. Always create backups of your keys, if they are overwritten or lost.
Generated SSH keys are stored by default in the .ssh subdirectory of your home directory. To function correctly, the private key must be readable and
writable only by the user that it belongs to (octal permissions 600). The public key is not secure, and anyone on the system might also be able to read it
(octal permissions 644).
After you place the public key, test the remote access, with the corresponding private key. If the configuration is correct, you access your account on
the remote system without being asked for your account password. If you do not specify a private key file, then the ssh command uses the
default ~/.ssh/id_rsa file if it exists.
Important
If you configured a passphrase to protect your private key, then SSH requests the passphrase on first use. However, if the key
authentication succeeds, then you are not asked for your account password.
The next example demonstrates the information that is provided when using the lowest verbosity option: