This week I had a really hard time getting public key authentication to work with my Ubuntu 12.04 server. Partly because I didn’t know what exactly I was doing but mostly because I didn’t know how to do it.
Several tutorials were helpful in explaining what to do but in the end I figured out how to go about it. So here’s how.
Generate a key pair
Download PuTTY and PuTTY Key Generator from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html. Save them somewhere, no installation is necessary.
Execute puttygen.exe and click the Generate button.
Move the mouse around a bit.
Enter your e-mail address in the “Key comment” field.
Copy ALL text under “Public key for pasting into OpenSSH authorized_keys file”. Include “ssh-rsa” and the e-mail address.
In the “Key passphrase” field enter a hard password.
Press “Save public key” and save the file where you can find it. The extension of this file doesn’t matter.
Press “Save private key” and save the file in a location only accessible to you. If you lose the file you might lock yourself out of your server. The extension of this file needs to be .ppk.
Tie the key to a PuTTY profile
Now close PuTTY Key Generator and start PuTTY.
Under “Host Name (or IP address)” enter the name or the ip address of your server and under “Saved Sessions” enter the name of the profile you’re creating (e.g. “My Server” – in this case my server is called ubuserv06).
In the options tree on the left side choose Connection > SSH > Auth.
Press “Browse” and select the private key you saved earlier.
Go back to Session and press “Save”.
Press “Load” and login to your server through regular password authentication. Don’t mind the key error just yet, we still need to configure that.
You can also have PuTTY remember your username by entering it under Connection > Data > Auto-login username.
Edit the ssh settings on your server
Log on as your regular user (not root) and create a file ~/.ssh/authorized_keys.
In that file paste the string you copied from PuTTY Key Generator on one single line. Note that PuTTY Key Generator saves the key as a file with the key divided into multiple lines. Do not copy and paste that but paste it as it showed it to you just after generation in the “Public key for pasting into OpenSSH authorized keys file” field.
Make the directory ~/.ssh readable for only you and remove the executable bit from the authorized_keys file:
$ chmod -R 700 ~/.ssh
$ chmod 600 ~/.ssh/authorized_keys
Edit /etc/ssh/sshd_config so it contains
Restart the SSH service:
$ sudo service ssh restart
Now try and see if you can logon via PuTTY with your private key. It should say something like:
Authenticating with public key "email@example.com"
Passphrase for key "firstname.lastname@example.org": _
If it doesn’t work, it would say
Server refused our key
In that case, see the Troubleshooting section.
- If you’re using encrypted home folders store your authorized keys in a place that is accessible to the system before you logon, for example in /etc/ssh/.
- In Ubuntu 12.04 the ssh service is called ssh not sshd.
- In the file ~/.ssh/authorized_keys each and every key must be on its own single line.
- Before you disable password logins in /etc/ssh/sshd_config test if your key authentication works properly.
- PuTTY Key Generator saves the key file with line endings. Copying and pasting it will not work.
If things don’t work, open up a second session to your server or logon locally and monitor ssh login attempts and their error messages in realtime:
$ tail -f /var/log/auth.log
If you’re done monitoring end it with Ctrl+C.