OpenSSH public key authentication

0.00 avg. rating (0% score) - 0 votes

First, create a key-pair with ssh-keygen. This is a one-time operation.

It is good practice to enter a good password, but you may also leave the password empty. That will leave your private key vulnerable to local attacks, but if you need to login somewhere from a cron job, you probably need to do that.

For interactive logins, it is better to use ssh-agent.

Copy your public key to the server

Newer distributions have the ssh-copy-id command, which makes copying your key as easy as:

If you don’t have ssh-copy-id, you must manually append your public key to the “.ssh/authorized_keys” file under your home directory on the remote host. This does just that:

Server side sshd configuration

This is what you need in “/etc/ssh/sshd_config” for public key authentication to work in the first place:

A restart is required if you changed anything.

Allowing root to log in with RSA/DSA keys

To enable public key authentication as root, the “PermitRootLogin” configuration setting must not be set to “no”. In other words, it should either be set to:

or the way I prefer it:

The latter form will disallow root login with a password, but allow it with a key. Makes brute force root password guessing impossible.

Slow authentication

If login takes a long time (more than about 5 seconds), make sure ssh does not try to make a reverse lookup for the remote host IP address. You will not detect this unless you yank the “LogLevel” to “Debug” and restart ssh. After that, you will see messages like this while the client is waiting for login:

There are two things that may cause the reverse lookups. The first is a configuration file option in “/etc/ssh/sshd_config” called “VerifyReverseMapping”. It should be set to “no”:

That is also the default setting, so it is less likely to be the real reason for reverse lookups. The following one is the more likely one.

The second thing that may cause OpenSSH to do reverse lookups is that by default it will try to store the remote hostname in utmp. To disable this, it needs the option “-u0” on the command line.

On Red Hat(ish) systems you can do this easily by adding the following option to the “/etc/sysconfig/sshd” file:

On Ubuntu, add this to “/etc/default/ssh”:

Restart sshd, and you will have a faster login. This setting will also speed up logins when the reverse lookups do work, because they will in any case slow down the authentication process.

One thought on “OpenSSH public key authentication”

  1. One thing I’ve noticed that might slow down SSH connection is the option UseDNS on sshd_config. By default it is on, by turning off it has resolved some slowness problems.. might be linked to that reverse mapping thing though 🙂

Leave a Reply