The default behavior if you spin up a new server is to login with username and password. Some cloud based providers also provides key based authentication now. If you have just password based login, read on how to authenticate via private key to your Linux server.
Objectives and prerequisites
These commands and work flow is tested on Ubuntu 20.04 server, but it will work on almost all Linux servers.
- Create new user for login on the server
- Create private/public keys on local machine
- Disable root access and password based login to the server
- Change SSH port(optional)
Login to the server as root and create a new user with bare minimum privileges with strong password.
justme is the username. Keep this tab open.
Choose a location of your choice(local machine) where you want to keep the keys. I will save them in
/backups/keys. This will create two files, one is public key file and another is private key file.
ssh-keygen -t rsa -b 4096 -f /backups/keys/id_rsa -P "" chmod 400 id_rsa
-t = encryption type
-b = key bits
-f = output key file
-P = passphrase
Know more about it from the man pages
Copy the public key to your server. Change the IP address.
ssh-copy-id -i /backups/keys/id_rsa.pub firstname.lastname@example.org
Login to the server with the key and
justme user in another terminal tab.
ssh -i /backups/keys/id_rsa email@example.com
If you can login to the server via
justme and then can switch to root as needed. Then so far all is good. Keep this tab open too.
Switch to the 1st tab where you logged in to the server as root. Use editor of your choice(nano, vim etc).
Basically there are three changes you can make, one is optional(port change). Look for it in the file.
Port 22 PasswordAuthentication yes PermitRootLogin yes
If commented(#), uncomment and change to:
Port 2244 PasswordAuthentication no PermitRootLogin no
Save and exit vim. Restart ssh daemon.
systemctl restart sshd
If you have changed the port don’t forget to add it to the command as
-p 2244 flag.
Open another terminal tab and try to login with password. You may probably get the following error:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
Now try login with the key and this time you will be logged in as user
justme. Switch to root(or another user) for any commands needs privileged access.
Note: as an extra tip make sure your root password is as strong as it could be. Don’t use simple passwords. Even disabled now, it won’t hurt to have a strong password.