Tagged as: DevOps Linux

Certificate Based SSH Authentication

I want to use Certificates to authenticate to my Linux servers.

Edward Cooke

2 minutes to read

I want to use Certificates to authenticate to my Linux servers.

Throughout this guide I will use the following variables

Variable Value
<fqdn> Fully qualified domain name of the host you want to ssh into. For example, host.domain.tld
<user> Your user on the host.

For my filenames I use <fqdn>_id to help with knowing what file is for what host. The _id on the end is there to follow the default standards.

  1. Verify the ssh tools are installed.
    1. Open a console/terminal/shell. For Windows I personally use PowerShell, but the command prompt works as well.
    2. Type ssh-keygen --help and press enter. If you get the available options for it spewing out then you're good. If not, you'll need to install the ssh client. For the Windows version you can follow my blog post about easily installing the ssh client in Windows. For Linux, search the internet for your particular distribution and installing the ssh client.
  2. Make sure that the ~/.ssh directory exists.
    1. In your terminal, type mkdir ~/.ssh. If it exists you may get an error saying it already exists, you can safely ignore that error.
  3. Use ssh-keygen to generate your certificate pair
    1. ssh-keygen -t rsa -f ~/.ssh/<fqdn>_id
    2. If you want to be more secure, use a password. If you don't want to type a password every time it's used then just press enter at the password prompts.
  4. Add the new public key to your user on the server.
    1. cat ~/.ssh/<fqdn>_id.pub
    2. Copy the resulting output to your clipboard
    3. Log in to your server/host that you are going to be ssh'ing into.
    4. Make sure the ~/.ssh folder exists. mkdir ~/.ssh
    5. Open ~/.ssh/authorized_keys file in an editor. Personally, I use VI. vi ~/.ssh/known_hosts
    6. Paste the public key you copied to your clipboard into the editor on a new line.
      • Your file should look something like this if you only have one entry:
      ssh-rsa BASE64EncodedStuff user@clienthost1
      • If you have multiple entries
      ssh-rsa BASE64EncodedStuff user@clienthost1
ssh-rsa BASE64EncodedStuff user@clienthost2
ssh-rsa BASE64EncodedStuff user@clienthost3
    7. Make sure permissions are correct: chmod 600 ~/.ssh/authorized_keys
      • If you don't set the permissions to 600 you will not be able to login using certificate authenticate and you will see incorrect permissions log entries.
  5. Configure your client to authenticate to the host with the new key
    1. On my client I generally use Visual Studio Code as my editor. So, I do code ~/.ssh/config. If you use a Mac or Linux you can use vi. vi ~/.ssh/config
    2. At the end of the file, which may be empty, you will add the following.
    Host <fqdn>
    Hostname <fqdn>
    User <user>
    IdentityFile ~/.ssh/<fqdn>_id
  6. Test your config setup. On the client, in the terminal, ssh <fqdn>.

You should have logged into your host with the certificate. If you set a password on your certificate you'll need to enter that, otherwise, it should let you in without anything else. If you have questions or problems, let me know in the comments below and I'll see what I can do to help.