ubuntu authorized_keys

Public key authentication is the standard SSH authentication method these days, primarily due to its security and usability benefits. It uses a key pair – a private key kept by the client, and a public key distributed to remote servers.

There are various ways to add the public keys to the ~/.ssh/authorized_keys file (the default storage location) on the server. We’ll cover how you can generate, add, and configure these keys in this article.

How Do Authorized Keys Work

When you try to log in to a server that has your public key, it issues a challenge made with your public key. Your machine decodes it using the private key and sends an appropriate response. After successfully authenticating, the connection is established.

The private key on the client machine is also called the identity key, while the public keys on the servers are called authorized keys. These cryptographic keys are considerably more secure compared to plaintext passwords. They’re pretty convenient too as you only need to authenticate once.

Of course, you need to get your public key onto the servers first to reap these benefits. Depending on the scenario, there are various ways to do this.

Ways to Add Keys to Authorized_Keys

Before you start, generate the SSH key pair on the client machine if you haven’t already done so.

ssh-keygen -b 4096

This’ll create a 4096-bit RSA key pair. It’ll be saved to the ~/.ssh/id_rsa (private) and ~/.ssh/id_rsa.pub (public) files by default.

Using ssh-copy-id

The ssh-copy-id script uses SSH to log you into the server with a password, then appends the public key from ~/.ssh/id_rsa.pub to the ~/.ssh/authorized_keys file.

ssh-copy-id user@remoteserver

If the public key was saved in a different file, you can specify the filename with the -i flag. Similarly, if the server is listening on a custom port, you can specify it with the -p flag.

ssh-copy-id -i ~/.ssh/mypublickey.pub -p 2521 [email protected]

Copying the Key via SSH

If you have password-based SSH access to the server but can’t use the ssh-copy-id script for whatever reason, then you can use the following one-liner to accomplish the same result.

cat ~/.ssh/id_rsa.pub | ssh username@remote_host "mkdir -p ~/.ssh && touch ~/.ssh/authorized_keys && chmod -R go= ~/.ssh && cat >> ~/.ssh/authorized_keys"

We’re reading the public key from the id_rsa.pub file, then logging into the remote server with SSH. Then, we’re creating the ~/.ssh/authorized_keys file and setting the appropriate permissions for the ~./ssh directory.

Finally, we’re piping the output of cat and appending it to the authorized_keys file. Basically, we’re performing each step of the ssh-copy-id script manually.

Copying the Key Offline

If you currently don’t have SSH access to the server, you can copy the id_rsa.pub file to a USB stick. Directly connect this USB to the server and navigate to the directory containing the file in the terminal.

Create the ~/.ssh directory and the authorized_keys file if they don’t exist yet.  

mkdir -p ~/.ssh/
touch ~/.ssh/authorized_keys

Now, append the public key to the authorized_keys file like so

cat id_rsa.pub >> ~/.ssh/authorized_keys

Authenticating with SSH Keys

After adding the public key to the authorized_keys file, you should be able to connect without needing your password.

ssh user@remoteserver

If you encounter a connection refused error, the SSH server is likely misconfigured. Open the sshd_config file on the server with an editor. We’ll use nano.

sudo nano /etc/ssh/sshd_config

Ensure the PubkeyAuthentication directive is uncommented and set to yes.

If you encounter a permission denied error instead, set the correct permissions for the ~/.ssh directory and ~/.ssh/authorized_keys file like so

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

Eventually, you should be able to connect using the SSH keys. At that point, I recommend editing the sshd_config file again to make some optional changes.

First, you could disable PasswordAuthentication as it’s not secure.

Second, you could change the AuthorizedKeysFile as the default file is not secure. You could use something like /etc/ssh/keys/authorized_keys.

Anup Thapa

Senior Writer

Anup Thapa is a Linux enthusiast with an extensive background in computer hardware and networking. His goal is to effectively communicate technical concepts in a simplified form understandable by new Linux users. To this end, he mainly writes beginner-friendly tutorials and troubleshooting guides. Outside of work, he enjoys reading up on a range of topics, traveling, working out, and MOBAs.