How-To: SSH via Public Key Authentication PKA


This page provides instructions on how to setup public key authentication (PKA) or public key infrastructure (PKI) to allow SSH to a remote host using authentication using a private/public key pair, also known as passwordless login. These instructions have been tested in the following scenarios: 

  • macOS (local client) to RHEL (remote server)
  • RHEL (local client) to RHEL (remote server)

Some important points

  • Each local home directory in a client only need one key pair generated.  This key pair can be used for multiple servers.
  • If all the servers mount a central network home you only need to exchange key with one server; only one exchange per server home directory.
  • If you have multiple server accounts you will have to add the key to each account’s authorized_keys file.
  • Each client requires an exchange and if you have multiple local accounts that you ssh from per client, each local account need to have the exchange done.

KEY GENERATION - Generate a Public/Private Key Pair on the local client machine:

Open a Terminal window on your local machine and type the following:

ssh-keygen -b 4096 -t rsa

This will generate the public/private rsa key pair. You will be prompted on where to save the key; the default location (/Users/<username>/.ssh/) is fine, so you can just hit " Enter ".
You will be prompted "Enter passphrase (empty for no passphrase)." If your goal is to SSH into machines without having to type in your password, leave this field blank and hit " Enter ".
You will be prompted to enter the same passphrase again. Hit " Enter ".

You will receive the following confirmation:
Your identification has been saved in ~/.ssh/id_rsa.  This is your private key for your local machine. Guard this key by making sure only your account has access to it 

chmod 600 ~/.ssh/id_rsa

Your public key has been saved in ~/.ssh/

KEY EXCHANGE - Transfer the Public Key to Remote Server

You now need to copy your public key to the machines that you want to SSH to. You must copy the public key to each remote machine.

  1. SSH to the remote machine: 

    ssh <username>@<remotemachine>
  2. Then confirm the remote machine has a ".ssh" folder in your account's home directory: 

    ls -la ~
  3. If it does not, create the .ssh folder: 

    mkdir ~/.ssh
  4. Now copy your local public key to the home directory of the remote server.  Repeat for each account: 

    scp ~/.ssh/ <username>@<remotemachine>:~/.ssh/<localmachinename>.pub

    where <localmachinename> will help identify the source of the public key. 

  5. Add the <localmachinename>.pub file you just copied over to a file named "authorized_keys": 

    cat ~/.ssh/<localmachinename>.pub >> ~/.ssh/authorized_keys
  6. Make sure that directory and it's files are only accessible by your account: 

    chmod 700 ~/.ssh
    chmod go-rwx ~/.ssh/*
  7. Back on the local machine, test SSH:

    ssh <username>@<remotemachine>

    which should result in a login without a password. 

  8. Repeat for every remote machine that does not have a centralized network home directory.