RHEL7: Configure SSH key-based authentication.

Share this link

Note: This is an RHCSA 7 exam objective and an RHCE 7 exam objective.


Instead of connecting through login/password to a remote host, SSH allows you to use key-based authentication. To set up key-based authentication, you need two virtual/physical servers that we will call server1 and server2.

Configuration Procedure

On the server1, create a user user01 with password user01:

# useradd user01
# passwd user01
Changing password for user user01.
New password: your password
Retype new password: your password
passwd: all authentication tokens updated successfully.

On the server2, create the same user with password user01:

# useradd user01
# passwd user01
Changing password for user user01.
New password: your password
Retype new password: your password
passwd: all authentication tokens updated successfully.

On the server1, connect as this new user:

# su - user01

Generate a private/public pair for key-based authentication (here rsa key with 2048 bits and no passphrase):

[user01@server1 ~]$ ssh-keygen -b 2048 -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user01/.ssh/id_rsa): return
Created directory '/home/user01/.ssh'.
Enter passphrase (empty for no passphrase): return
Enter same passphrase again: return
Your identification has been saved in /home/user01/.ssh/id_rsa.
Your public key has been saved in /home/user01/.ssh/id_rsa.pub.
The key fingerprint is:
6d:ac:45:32:34:ac:da:4a:3b:4e:f2:83:85:84:5f:d8 user01@server1.example.com
The key's randomart image is:
+--[ RSA 2048]----+
|       .o        |
|       ...       |
| . o   .o .      |
|. o E .  *       |
| o o o  S =      |
|  o + .  +       |
|  .+.o  .        |
|  .+=            |
|   .oo           |

Still on server1, copy the public key to server2.

[user01@server1 ~]$ ssh-copy-id -i .ssh/id_rsa.pub user01@server2.example.com
The authenticity of host 'server2.example.com (' can't be established.
ECDSA key fingerprint is 67:79:67:88:7f:da:31:49:7b:dd:ed:40:af:ae:b6:ae.
Are you sure you want to continue connecting (yes/no)? yes
/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
user01@server2.example.com's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'user01@server2.example.com'"
and check to make sure that only the key(s) you wanted were added.

On the server2, edit the /etc/ssh/sshd_config file and set the following options:

PasswordAuthentication no
PubkeyAuthentication yes

Note: Don’t hesitate to set up a virtual console access on server2, this will avoid re-installing the physical/virtual server if something goes wrong.

Restart the sshd service:

# systemctl restart sshd

Testing Time

On the server1 as user01, connect to the server2:

[user01@server1 ~]$ ssh server2.example.com

Note1: This configuration can also be done for the root account.
Note2: Use -v, -vv, or -vvv options to get some debug information.

Additional Resources

Bob Cromwell wrote a series of articles about setting up SSH keys for easier and more secure authentication, setting up a SSH key-agent, easily maintaining multiples websites with SSH and ways to manage your SSH keys and identities.

Beyond the exam objectives, Scott Lowe explains how to build a bastion SSH.

1 Star2 Stars3 Stars4 Stars5 Stars (12 votes, average: 4.83 out of 5)
10 comments on “RHEL7: Configure SSH key-based authentication.
  1. wzjordan says:

    Thank you, this is the best guide I’ve seen for this task. I’ll be using this site more in the future to prepare for my RHCSA.

  2. redhat0329 says:

    Hi CertDepot,

    I think it is also advisable to set the “PermitRootLogin” to “no” on server2 based on your example? Don’t know if this is a good idea and if I will do this on the exam.

    • CertDepot says:

      The PermitRootLogin no directive is mainly necessary if you don’t use key-based authentication. If you use key-based authentication, you can set it or not, there is no strict requirement.
      Also, if you use a configuration management tool like Ansible, you will have to allow Ansible to connect as root on your servers to apply the needed changes, and you will not be able to use the PermitRootLogin no directive anymore.
      During the exam, I don’t think wasting time with this directive will be useful.

  3. alexritm says:

    I cannot ssh-copy-id for user created on IPA server (ipa user-add). I cant even log in via SSH under this user. For local users it works.
    Is it a problem in terms of the exam? Should I dig into it?

  4. alexritm says:

    Is it necessary to know SSH agent configuration steps?

  5. ercole1977 says:

    I ask to anyone who took the exam: I would like to know if during the exam I will be allowed to ssh from the host to the exam VM to perform task, instead of being forced to use the raw console (no copy and past for example…). It would be useful to know also if I will be allowed, for simplicity, to ssh-copy-id from host to vm so I won’t have to login with password (better time management!)
    Thank you very much

    • Sam says:

      The answer is most likely, however if this is not the case, you need to be able to install /configure the service. Take note of any exam questions about what IP or address should access the services.

Leave a Reply

RHCSA7: Task of the day

Allowed time: 5 minutes.
Add 100MB of swap space to the machine using a new logical volume.

RHCE7: Task of the day

Allowed time: 10 minutes.
Set up a caching-only DNS server to forward DNS queries.

Follow me on Twitter

Poll for favorite RHEL 7 book

What is your favorite RHEL 7 book to prepare RHCSA & RHCE exams?

View Results

Loading ... Loading ...

Poll for most difficult RHCSA 7 topic

What do you think is the most difficult RHCSA 7 topic?

View Results

Loading ... Loading ...

Poll for most difficult RHCE 7 topic

What do you think is the most difficult RHCE 7 topic?

View Results

Loading ... Loading ...