If you manage Linux servers, securing SSH access is critical. One of the most effective ways to do this is by using public key authentication instead of relying just on passwords.

In this post, I’ll walk through my SSH server configuration and the steps I follow to authenticate a user with a public key.

Step 1: Configuring the SSH Server

The main SSH server configuration file is located at /etc/ssh/sshd_config. Below is the configuration I use, with explanations for the important settings:

  # System-wide SSH configuration file
Include /etc/ssh/sshd_config.d/*.conf

# General security settings
LoginGraceTime 2m                 # Time allowed to log in
PermitRootLogin prohibit-password # Disable root login with password
StrictModes yes
MaxAuthTries 4
MaxSessions 10

# Authentication settings
PubkeyAuthentication yes           # Enable public key authentication
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes         # Keep password authentication enabled (optional)
PermitEmptyPasswords no
ChallengeResponseAuthentication no

# Forwarding options
AllowAgentForwarding yes
AllowTcpForwarding no
GatewayPorts no
X11Forwarding no

# SFTP subsystem
Subsystem sftp internal-sftp

Key points:

  • PubkeyAuthentication yes ensures that users can log in using their public key.
  • AuthorizedKeysFile .ssh/authorized_keys tells SSH where to look for public keys.
  • PermitRootLogin prohibit-password prevents direct root login with a password, enhancing security.
  • Disabling ChallengeResponseAuthentication and certain forwarding options reduces attack vectors. Once this file is configured, restart the SSH service to apply the changes:

Once this file is configured, restart the SSH service to apply the changes:

  sudo systemctl restart sshd

Step 2: Adding Your Public Key for a User

After configuring the server, the next step is to set up the user account for public key authentication. Here’s the process:

  • Switch to the user account:
  cd /home/user_name
  • Create the .ssh directory (if it doesn’t already exist):
  mkdir -p .ssh
cd .ssh
  • Create the authorized_keys file and add your public key:
  nano authorized_keys

Paste your public key into this file, save, and exit.

  • Set the correct permissions (this is crucial for security):
  chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
  • Test the login from your client machine:
  ssh user_name@your_server_ip

If everything is set up correctly, you should be able to log in without entering a password.

Tips for Security and Maintenance

  • Keep your private key secure: Never share it or store it in unencrypted locations.
  • Disable password authentication (optional but recommended) once all users have their keys set up:
  PasswordAuthentication no
  • Use ssh-agent to manage your keys locally and avoid repeatedly entering the passphrase.

Notes About Security

This configuration is not the most secure setup possible, but it works well as a basic authentication method. For a home server or small environment, this setup is usually sufficient.

Advanced users can further harden their SSH server by customizing settings such as:

  • LoginGraceTime: shorten login timeout for additional security
  • MaxAuthTries: reduce the number of allowed authentication attempts
  • AllowAgentForwarding: disable if not needed

Nice-to-Have (optional): Custom Login Message (MOTD)

A fun way to personalize your server is by editing the Message of the Day (MOTD). This message appears whenever someone logs in via SSH. For example, you can warn intruders or just display a fun message.

To set it up:

  • Open the MOTD file with vi:
  sudo vi /etc/motd
  • Add your message, for example:
  **************************************************
Welcome BOSS                                     *
**************************************************
  • Save and exit. The next time a user logs in via SSH, they’ll see your message.

This is purely optional but can give your server a professional or personalized touch.