Using SSH clients like PuTTY for remote Linux server management often involves password authentication, which is vulnerable to brute-force attacks. Common mitigations include changing the default SSH port from 22 or disabling root login. A more robust security method is key-based authentication, which also permits secure remote root access.

The mechanism relies on a cryptographic key pair: a public key and a private key. The public key is placed on the server account. Authentication is performed by proving possession of the corresponding private key from the client. Without the private key, SSH password brute-forcing becomes ineffective. The same private key can authenticate to any server account or host where its public key is installed.

This process involves generating a key pair on the server, deploying the public key, configuring the SSH daemon, and finally connecting from a client using the private key.

1. Generating the Key Pair

Execute the ssh-keygen command to create a new RSA key pair.

[root@server ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:g7MD591TW4bE8tYHZYPsuQMWAoswwcz488glhYrov9x root@server

The passsphrase adds an extra layer of security for the private key. Leaving it blank enables passwordless login, though this is less secure if the private key is compromised.

After generation, the .ssh directory in the user's home folder contains two files: id_rsa (private key) and id_rsa.pub (public key).

2. Installing the Public Key on the Server

Add the public key to the authorized_keys file for the target user account.

[root@server ~]# cd ~/.ssh
[root@server .ssh]# cat id_rsa.pub >> authorized_keys

Set the correct permissions to insure SSH accepts the key file.

[root@server .ssh]# chmod 600 authorized_keys
[root@server .ssh]# chmod 700 ~/.ssh

3. Configuring the SSH Daemon for Key Authentication

Edit the SSH server configuration file /etc/ssh/sshd_config to enable public key authentication and, if desired, root login.

# Ensure these lines are present and set to 'yes'
PubkeyAuthentication yes
# RSAAuthentication is generally implied for RSA keys with recent OpenSSH
# Permit root login if required
PermitRootLogin yes

After successfully testing key-based login, enhance security by disabling password authentication.

PasswordAuthentication no

Apply the changes by restarting the SSH service.

# On systemd systems
[root@server ~]# systemctl restart sshd

4. Using the Private Key from a Client

The private key file (id_rsa) must be securely transferred to the client machine (e.g., using SCP or SFTP).

For clients like OpenSSH (Linux/macOS commmand line):

# Ensure correct permissions on the client
$ chmod 600 ~/Downloads/id_rsa
# Connect using the private key
$ ssh -i ~/Downloads/id_rsa root@server_ip

For PuTTY on Windows: PuTTY uses the PPK format. Load the raw id_rsa private key into PuTTYgen (via the "Load" button), optionally add a comment, and then save it as a .ppk file. In PuTTY, navigate to Connection > SSH > Auth and specify this PPK file under "Private key file for authentication."