Latest LQ Deal: Latest LQ Deals
Go Back > Forums > Linux Forums > Linux - Newbie
User Name
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!


  Search this Thread
Old 11-01-2011, 04:15 PM   #1
Registered: Mar 2005
Distribution: Ubuntu 12.04 LTS
Posts: 249

Rep: Reputation: 16
Requiring public key in order to SSH into a machine

I'd like to make it necessary to have a public key in order to SSH into a machine. Meaning if you try to brute force the password, even if you guess the password correctly you won't be able to use it because you don't have the public key of the SSH server. My first question is whether this is the recommended best practice, or should I continue to allow the choice of a public key or the password? (The only problem I see with key-only authentication is that if I somehow lose my client's private key I can no longer log into my server...)

Currently my setup allows for passwordless SSH authentication if you have a public key, but it also allows for a username and password without the public key and that works too (which isn't what I want). Which of the following do I need to set in order to enable the public key-only functionality? Different tutorials list different combinations of the settings below - if someone could tell me the bare minimum I need to change in order for it to work, that would be great.

Now let's say I've set up a public key-only login. If I want to create a new set of keys on my SSH server (let's say after reformatting my client - a laptop), I'm guessing I can't use ssh-copy-id to copy the newly created public key to the server? I'd be locked out of my server, so what would be the best way to set things up again and allow my laptop to SSH into my server again?

Last edited by veeruk101; 11-01-2011 at 04:23 PM.
Old 11-02-2011, 07:38 AM   #2
Senior Member
Registered: Jan 2005
Location: Melbourne, Australia
Distribution: Debian Bookworm (Fluxbox WM)
Posts: 1,391
Blog Entries: 54

Rep: Reputation: 360Reputation: 360Reputation: 360Reputation: 360
It is a good thing to restrict the number of ways to access a machine. Whether a password or a keyfile is better depends on how you manage them. If you use a PKI key, then it is good practice to password protect the PKI file.

To disable the password access, it is sufficient to set PasswordAuthentication to 'no' in the server configuration (the other parameters have reasonable defaults). You will need to restart the server.

If you have to set up a new PKI key, you need to add the public part to the server before you remove the old local key (use the '-i' flag to use the new key file). Once it has been added, you can change the local key to the new one, and restart the ssh session (and remove the old key from the servers authorized keys if it is no longer required).

If you lose the PKI key, then yes, you will be unable to access the server.

Last edited by neonsignal; 11-02-2011 at 07:52 AM.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
open-ssh vs. commercial ssh (tru64), public-key auth not possible? cf050 Linux - Networking 8 03-28-2012 11:15 AM
NoMachine NX while still requiring key auth for SSH, possible? Chip Sprague Linux - Security 1 08-29-2011 02:48 PM
SSH skips public key authentication for a key, but works with another key simopal6 Linux - General 1 07-06-2011 08:33 AM
Putty/SSH login failed when using RSA public key: 'Server refused our key' Linux - Server 10 10-04-2010 01:19 PM
ssh to remote machine with public-key method 2007fld Linux - Security 2 08-13-2007 03:13 PM > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 07:11 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration