How to login to SSH using a .pub key file and a password?
Categories:
Secure SSH Login: Combining Public Key Authentication with a Password
Learn how to enhance your SSH security by using a public key for authentication while still requiring a password for an additional layer of protection. This guide covers setup and usage.
SSH (Secure Shell) is a fundamental protocol for secure remote access to servers. While public key authentication is generally considered more secure and convenient than password-only authentication, there are scenarios where you might want to combine both for an extra layer of security or to comply with specific organizational policies. This article will guide you through the process of configuring your SSH client and server to allow login using a .pub key file, but still require a password for the key itself.
Understanding SSH Key Pairs and Passphrases
SSH key pairs consist of a private key (kept secret on your local machine) and a public key (placed on the remote server). When you attempt to connect, the server challenges your client, which then uses the private key to prove its identity. A passphrase adds an additional layer of security to your private key. If someone gains unauthorized access to your private key, they still won't be able to use it without knowing the passphrase. This is the 'password' we refer to in the context of logging in with a .pub key file and a password.
flowchart TD
A[Local Client] --> B{SSH Connection Request}
B --> C[Remote Server]
C --> D{Server Checks `authorized_keys`}
D -- Public Key Found --> E{Server Challenges Client}
E --> F[Client Uses Private Key]
F -- Private Key is Passphrase Protected --> G{Client Prompts for Passphrase}
G -- Correct Passphrase --> H[Client Authenticates to Server]
H --> I[Login Successful]
G -- Incorrect Passphrase --> J[Authentication Failed]
D -- No Public Key / Mismatch --> JSSH Authentication Flow with Passphrase-Protected Key
Generating an SSH Key Pair with a Passphrase
The first step is to generate an SSH key pair. It's crucial to add a strong passphrase during this process. If you already have a key without a passphrase, you can add one later. We recommend using the ed25519 algorithm for new keys due to its strong security properties and smaller key size.
ssh-keygen -t ed25519 -C "your_email@example.com"
# When prompted, enter a strong passphrase:
# Enter passphrase (empty for no passphrase): [your_strong_passphrase]
# Enter same passphrase again: [your_strong_passphrase]
Generating an ED25519 SSH key pair with a passphrase
Deploying Your Public Key to the Remote Server
Once your key pair is generated, you need to copy the public key (id_ed25519.pub by default) to the remote server. The ssh-copy-id utility is the easiest and most recommended way to do this, as it handles permissions correctly.
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@remote_host
# You will be prompted for the remote_host's password (not your key's passphrase) initially.
Copying your public key to the remote server
If ssh-copy-id is not available or you prefer to do it manually, you can use scp or simply copy-paste the content of your public key file into the ~/.ssh/authorized_keys file on the remote server. Ensure the ~/.ssh directory has permissions 700 and ~/.ssh/authorized_keys has 600.
Configuring the SSH Server (Optional but Recommended)
To ensure that public key authentication is enabled and password authentication is disabled (after you've confirmed key-based login works), you can modify the SSH server configuration file (/etc/ssh/sshd_config). This enhances security by preventing password-only brute-force attacks.
# On the remote server, edit /etc/ssh/sshd_config
sudo nano /etc/ssh/sshd_config
# Ensure these lines are uncommented and set as follows:
# PubkeyAuthentication yes
# PasswordAuthentication no
# ChallengeResponseAuthentication no
# UsePAM no
# After making changes, restart the SSH service:
sudo systemctl restart sshd
SSH server configuration for key-based authentication
PasswordAuthentication, ensure you can successfully log in using your public key and passphrase. If you disable it prematurely and your key setup is incorrect, you might lock yourself out of the server.Logging In with Your Key and Passphrase
Now, when you attempt to log in to the remote server, SSH will use your private key for authentication. Since your private key is protected by a passphrase, you will be prompted to enter it.
ssh user@remote_host
# You will be prompted:
# Enter passphrase for key '/home/your_user/.ssh/id_ed25519': [your_strong_passphrase]
Logging in using SSH with a passphrase-protected key
ssh-agent to temporarily store your decrypted private key in memory. This is especially useful for frequent connections or automated scripts. Use ssh-add to add your key to the agent.1. Generate Key Pair
Use ssh-keygen -t ed25519 -C "your_email@example.com" and provide a strong passphrase when prompted.
2. Copy Public Key
Deploy your public key to the remote server using ssh-copy-id user@remote_host.
3. Verify Login
Attempt to log in with ssh user@remote_host. You should be prompted for your key's passphrase.
4. Harden Server (Optional)
Edit /etc/ssh/sshd_config on the remote server to disable PasswordAuthentication and restart sshd.