These are instructions adapted from other sources to work with openSUSE Tumbleweed and Leap and recently updated with the latest (as of 2024) releases.
This is a quick how to on setting up computers with pre-shared keys. This is for added security when accessing machines remotely over Secure Shell. For me, this is mostly for convenience, at least, the way I am setting it up.
A pre-shared key setup allows you to login to Secure Shell Login (SSH) to a server without the need for a password. Optionally, you can use this to allow access only to those users who can display the valid key to the server. This is generally considered the most secure way to use SSH to access remote machines.
Create your Public and Private Key Pair
Begin at the client machine from which you do your work. Open a terminal and enter this:
ssh-keygen -t rsa
If you want a passphrase along with the pre-shared key do so when prompted. If you do not want a passphrase, just press enter.
Warning: If you do not passphrase-protect your key than anyone gaining access to your client machine will automatically have access to the remote machine with this key.
This will create two files in your ~/.ssh directory:
id_rsa
id_rsa.pub
id_rsa is your private key. This one stays on your client machine.
id_rsa.pub is your public key. This key you copy to the server(s).
Copy the Public Key to Your Server(s)
Now you need to add the public key to the server or servers that you want to be able to access using the pre-shared keys. The format for this is:
ssh-copy-id user@hostname
For this example, replace “user” with the targeted user name and “hostname” with the actual hostname (or IP address) of the target system. This example is using ssh-copy-id to transfer the files and uses the same authentication as SSH.
ssh-copy-id cubiclenate@laptop
ssh-copy-id will Now login to the target server using SSH and add it to the authorized_keys list:
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/cubiclenate/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
Note: This will check to see if the key exists on the destination machine and if you do you will see this error:
/usr/bin/ssh-copy-id: WARNING: All keys were skipped because they already exist on the remote system.
(if you think this is a mistake, you may want to use -f option)
If you believe that this message is an error, just add -f after the command to force the key to copy.
Give it a Test Run
Now you should be able to log into the server and if you didn’t enter a passphrase for the shared key, you won’t be prompted for a password. SSH no longer offers keys automatically so you will have to explicitly define what key it is you want to connect with the host.
ssh cubiclenate@hostname
Now you will not have to type your password when you log in.
Make it More Secure
Optionally, once you’ve checked you can successfully login to the server using your public/private key pair, you can disable password authentication altogether by creating a rule in the sshd_config.d folder:
echo "PasswordAuthentication no" > /etc/ssh/sshd_config.d/password_auth_config
The name “password_auth_config” can be named whatever you like. There used to be a file under /etc/ssh/ with the name “sshd_config” that would have the options but now you can basically put whatever you want in the new folder. This is probably to preserve settings desired by the system administrator, regardless of updates.
This configuration is considered secure and recommended for production or personal, Internet-facing servers. You must determine whether or not you will always login from a machine where your private key is present.
Final Thoughts
Pre-shared key is a very convenient way to manage your home systems, I use this method, primarily out of convenience and ease for automating other processes. Added convenience and security is most certainly a good thing.