Introduction#
Using public-key authentication for SSH login is a more secure alternative to password-based authentication. This guide will walk you through the steps to configure your server to only allow SSH login with a public key.
Generating a Public/Private Key Pair on Windows#
To generate a public/private key pair, run the following command:
ssh-keygen -t rsa -b 4096
Follow the prompts to save the keys. You can choose a password for the private key (optional).
Copying the Public Key from windows to your linux machine#
To copy the contents of ~/.ssh/id_rsa.pub to your Linux machine. Using PowerShell run the following command:
cat ~/.ssh/id_rsa.pub | ssh username@remote_host "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
Making sure to update username@remote_host with your actual server’s SSH credentials.
Configuring Authorized Keys File#
1. Create or edit the authorized keys file#
sudo nano /etc/ssh/sshd_config
Locate the line PubkeyAuthentication no and change it to:
PubkeyAuthentication yes
Then, restart the SSH service:
sudo systemctl restart sshd
2. Add the public key to authorized keys#
sudo nano /etc/ssh/authorized_keys
Append the contents of your local machine’s ~/.ssh/id_rsa.pub file to the end of the authorized keys file.
Restricting Access to Key-Based Authentication only#
1. Remove password-based authentication (optional)#
sudo nano /etc/ssh/sshd_config
Locate the line PasswordAuthentication yes and change it to:
PasswordAuthentication no
Then, restart the SSH service:
sudo systemctl restart ssh
If that does not work then try
sudo systemctl restart sshd
2. Limit access with host keys or user limits (optional)#
You can further restrict access by limiting SSH connections to specific hosts or users.
SSH Hardening & Troubleshooting Checklist#
Quick, ordered steps to confirm PasswordAuthentication is disabled and root login is restricted.
1) Ground-truth the daemon#
Ask sshd what it actually uses (don’t rely only on files):
sudo sshd -T | grep -E "passwordauthentication|permitrootlogin|kbdinteractiveauthentication"
Expected result:
passwordauthentication no
permitrootlogin prohibit-password
kbdinteractiveauthentication no
2) Diagnostics (run if the ground-truth shows unexpected values)#
These commands search drop-in snippets, debug the daemon, and show file locations:
grep -r "PasswordAuthentication" /etc/ssh/sshd_config.d/
sudo sshd -dd 2>&1 | grep "passwordauthentication"
grep -n "PasswordAuthentication" /etc/ssh/sshd_config
sudo sshd -T | grep -i "passwordauthentication"
3) Fix and verify (ordered)#
- Locate the file that overrides the setting (often a file under
/etc/ssh/sshd_config.d/, e.g.50-cloud-init.conf). - Edit the offending file and set the desired values. Example:
sudo nano /etc/ssh/sshd_config.d/50-cloud-init.conf
# set: PasswordAuthentication no
# set: PermitRootLogin prohibit-password
- Restart SSH to apply changes:
sudo systemctl restart sshd || sudo systemctl restart ssh
- Re-run the ground-truth check to confirm the daemon sees the updates:
sudo sshd -T | grep -E "passwordauthentication|permitrootlogin|kbdinteractiveauthentication"
4) Safety test before disconnecting#
From a new local terminal, test access:
ssh user@server-ip
Success: you either log in with your SSH key, or you immediately see Permission denied (publickey) (no password prompt).
If you are prompted for a password, keep your original session open, fix the override, then repeat the steps above.
Conclusion#
You have configured your server to use public-key SSH authentication and removed (or prepared to remove) password-based logins where applicable.