10. Manage Security
πRed Hat Certified System Administrator (RHCSA β EX200)
1. What is SSH Key-Based Authentication?
SSH key-based authentication is a secure way to log in to a remote system without using a password.
Instead of typing a password:
- You use a pair of cryptographic keys
- Private key β kept on the client machine (must be secret)
- Public key β stored on the remote server
When connecting:
- The server checks if your public key matches your private key
- If it matches β access is granted
2. Why Use Key-Based Authentication?
In an IT environment, this method is widely used because:
- More secure than passwords
- Prevents brute-force attacks
- Enables automated logins (scripts, backups, automation tools)
- Used for managing multiple servers securely
3. Key Pair Components
Private Key
- Stored on the client system
- Must be protected
- Usually located in:
~/.ssh/id_rsa
Public Key
- Copied to the remote server
- Stored in:
~/.ssh/authorized_keys
4. Generate SSH Key Pair
Use the ssh-keygen command on the client system:
ssh-keygen
Default behavior:
- Saves keys in:
~/.ssh/id_rsa(private key)~/.ssh/id_rsa.pub(public key)
Example:
ssh-keygen -t rsa -b 2048
Options:
-t rsaβ key type-b 2048β key size
You may be asked:
- File location β press Enter for default
- Passphrase β optional (adds extra security)
5. Copy Public Key to Remote Server
Method 1 (Recommended): ssh-copy-id
ssh-copy-id user@remote_host
This:
- Copies the public key
- Creates
.sshdirectory if needed - Sets correct permissions
Method 2 (Manual Method)
- Display public key:
cat ~/.ssh/id_rsa.pub
- On remote server:
mkdir -p ~/.ssh
chmod 700 ~/.ssh
- Add key:
vi ~/.ssh/authorized_keys
Paste the public key.
- Set permissions:
chmod 600 ~/.ssh/authorized_keys
6. Test Key-Based Login
From client:
ssh user@remote_host
Expected result:
- No password prompt (or only passphrase if set)
7. SSH Server Configuration
Main configuration file:
/etc/ssh/sshd_config
Important settings:
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
To disable password login (more secure):
PasswordAuthentication no
8. Apply Configuration Changes
After editing:
systemctl restart sshd
Or:
systemctl reload sshd
9. File and Directory Permissions (VERY IMPORTANT FOR EXAM)
SSH is strict about permissions.
On Remote Server:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
On Client:
chmod 600 ~/.ssh/id_rsa
chmod 644 ~/.ssh/id_rsa.pub
If permissions are wrong β SSH will refuse authentication.
10. Common Troubleshooting
1. Permission Issues
- Check:
ls -ld ~/.ssh
ls -l ~/.ssh
2. SSH Service Not Running
systemctl status sshd
3. Wrong Key Location
Check:
~/.ssh/authorized_keys
4. SELinux Issues
Restore correct context:
restorecon -Rv ~/.ssh
5. Debug SSH Connection
Run:
ssh -v user@remote_host
This shows detailed logs to identify problems.
11. SELinux Considerations
If SELinux is enabled:
- Correct contexts must be applied
- Use:
restorecon -Rv ~/.ssh
Do NOT disable SELinux for this task in the exam.
12. Key-Based Authentication Workflow
- Generate key pair (client)
- Copy public key (server)
- Ensure permissions are correct
- Configure SSH server if needed
- Test login
- Optionally disable password authentication
13. Automation Use Case (Important for Understanding)
In an IT environment:
- System administrators use key-based SSH for:
- Remote server management
- Automated backups
- Script execution across multiple systems
- Configuration management tools (like Ansible)
14. Exam Tips (VERY IMPORTANT)
- Always use: ssh-keygen
ssh-copy-id - Remember correct permissions:
.sshβ 700authorized_keysβ 600
- If login fails:
- Check permissions
- Check SELinux
- Check sshd_config
- Know how to:
- Enable/disable password authentication
- Restart sshd service
15. Summary
- SSH key-based authentication replaces passwords with keys
- Requires:
- Key pair generation
- Public key on server
- Proper permissions
- More secure and widely used in system administration
- Essential skill for RHCSA exam
