SSH Checklist
SSH Key Setup Checklist
-
Generate SSH Key Pair
- Ensure that you have generated an SSH key pair on the client machine (
system a).- Run the following command and check for the existence of
~/.ssh/id_rsa(private key) and~/.ssh/id_rsa.pub(public key):bashls -l ~/.ssh/id_rsa ~/.ssh/id_rsa.pub
- Run the following command and check for the existence of
- If the keys do not exist, generate them using:
bash
ssh-keygen -t rsa -b 4096 - Ensure the keys have appropriate permissions (600 for private and 644 for public keys):
bash
chmod 600 ~/.ssh/id_rsa chmod 644 ~/.ssh/id_rsa.pub
- Ensure that you have generated an SSH key pair on the client machine (
-
Copy Public Key to Remote Server
- Ensure that the public key has been copied to
system band appended to the~/.ssh/authorized_keysfile.- Use the
ssh-copy-idcommand to copy the key:bashssh-copy-id username@system_b - Alternatively, you can manually copy the contents of
~/.ssh/id_rsa.pubto~/.ssh/authorized_keysonsystem b.
- Use the
- Verify that the
authorized_keysfile has the correct permissions:bashchmod 600 ~/.ssh/authorized_keys - Make sure the
.sshdirectory has the correct permissions:bashchmod 700 ~/.ssh
- Ensure that the public key has been copied to
-
Check SSH Daemon Configuration on Remote Server
- Ensure the SSH daemon is configured to allow key-based authentication. Check
/etc/ssh/sshd_configonsystem bfor the following settings:PubkeyAuthentication yesAuthorizedKeysFile .ssh/authorized_keysPasswordAuthentication no(optional, for enforcing key-based auth only)
- Restart the SSH daemon to apply changes:
bash
sudo systemctl restart sshd
- Ensure the SSH daemon is configured to allow key-based authentication. Check
-
Verify Ownership and Permissions
- Check ownership and permissions of the user's home directory on
system b:- Ensure that the home directory and
.sshdirectory are owned by the user and have appropriate permissions:bashchown -R username:username /home/username chmod 700 /home/username/.ssh
- Ensure that the home directory and
- Check ownership and permissions of the user's home directory on
-
Ensure Correct SSH Command Usage
- Use the correct username and hostname when attempting to SSH into
system b:bashssh username@system_b - If using a non-standard SSH port, specify it using the
-poption:bashssh -p <port_number> username@system_b
- Use the correct username and hostname when attempting to SSH into
-
Check SSH Agent (Optional)
- Ensure that the SSH agent is running and the key is added to it, especially if using
ssh-agentfor key management:basheval "$(ssh-agent -s)" ssh-add ~/.ssh/id_rsa - Verify the keys added to the agent:
bash
ssh-add -l
- Ensure that the SSH agent is running and the key is added to it, especially if using
-
Review SSH Debugging Output
- Use the
-voption with the SSH command to enable verbose mode, which can provide detailed debugging information:bashssh -v username@system_b - Look for lines indicating whether the key is being offered and any errors that may indicate why the key is being rejected.
- Use the
-
Network Issues
- Ensure there are no network issues preventing the connection. Check that
system bis reachable via the network. - Verify that the firewall on
system bis allowing incoming SSH connections on the specified port.
- Ensure there are no network issues preventing the connection. Check that
-
SELinux and AppArmor (Linux Specific)
- If
system buses SELinux, ensure it is not blocking SSH connections:bashsudo setenforce 0 # Temporarily disable for testing - If using AppArmor, check that it allows SSHD to read the authorized_keys file.
- If
-
Check for Multiple Keys (Optional)
- If multiple keys are present, specify the exact key to use:
bash
ssh -i ~/.ssh/id_rsa username@system_b
- If multiple keys are present, specify the exact key to use:
By following this checklist, you should be able to identify and resolve most issues preventing SSH key-based authentication. If problems persist, examining the verbose output from the SSH command can provide further clues.