Authenticate via private key to Linux server

The default behavior if you spin up a new server is to login with username and password. Some cloud based providers also provides key based authentication now. If you have just password based login, read on how to authenticate via private key to your Linux server.

Objectives and prerequisites

These commands and work flow is tested on Ubuntu 20.04 server, but it will work on almost all Linux servers.

  • Create new user for login on the server
  • Create private/public keys on local machine
  • Disable root access and password based login to the server
  • Change SSH port(optional)

Create user

Login to the server as root and create a new user with bare minimum privileges with strong password. justme is the username. Keep this tab open.

adduser justme

Create keys

Choose a location of your choice(local machine) where you want to keep the keys. I will save them in /backups/keys. This will create two files, one is public key file and another is private key file.

ssh-keygen -t rsa -b 4096 -f /backups/keys/id_rsa -P ""
chmod 400 id_rsa

Flags explanation

-t = encryption type

-b = key bits

-f = output key file

-P = passphrase

Know more about it from the man pages ssh-keygen --help.

Copy the public key to your server. Change the IP address.

ssh-copy-id -i /backups/keys/ justme@

Login to the server with the key and justme user in another terminal tab.

ssh -i /backups/keys/id_rsa justme@

If you can login to the server via justme and then can switch to root as needed. Then so far all is good. Keep this tab open too.

SSH configuration

Switch to the 1st tab where you logged in to the server as root. Use editor of your choice(nano, vim etc).

vim /etc/ssh/sshd_config

Basically there are three changes you can make, one is optional(port change). Look for it in the file.

Port 22
PasswordAuthentication yes
PermitRootLogin yes

If commented(#), uncomment and change to:

Port 2244
PasswordAuthentication no
PermitRootLogin no

Save and exit vim. Restart ssh daemon.

systemctl restart sshd

If you have changed the port don’t forget to add it to the command as -p 2244 flag.

Open another terminal tab and try to login with password. You may probably get the following error:

Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

Now try login with the key and this time you will be logged in as user justme. Switch to root(or another user) for any commands needs privileged access.

Note: as an extra tip make sure your root password is as strong as it could be. Don’t use simple passwords. Even disabled now, it won’t hurt to have a strong password.