> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Configure the SSH server and client

> Instructions to configure SSH server and client using offloaded keys.

Perform the following tasks to configure the SSH server and client:

1. Extract the SSH client public key from the zip file.
2. Convert the SSH client public key file from DER to PEM format.
3. Configure the SSH client public key on the SSH server and disable non-key-based authentication modes.

## Extract the public key

Perform the following steps to extract the SSH client public key from the zip file:

<Steps>
  <Step>
    Log in to the SSH server machine as the user you plan to connect with from the SSH client machine.
  </Step>

  <Step>
    Open a terminal session and go to the location of the SSH client public key zip file exported from the CryptoHub.
  </Step>

  <Step>
    Run the following command to extract the SSH client public key from the zip file, modifying the file name to match the actual name of your file.

    ```shell expandable lines wrap title="Shell" theme={null}
    unzip archive171924.zip
    ```

    <Check>
      You should see the following output:

      ```none expandable lines wrap title="None" theme={null}
      Archive:  archive171924.zip
       extracting: SSH.pub
      ```
    </Check>

    The `SSH.pub` file is in DER format, meaning the public key is binary encoded.
  </Step>
</Steps>

## Convert the public key file

This section uses OpenSSL to convert the `SSH.pub` file from `DER` to `PEM` format. `PEM` is a method of encoding binary data as a string (also known as ASCII armor).

Perform the following steps to convert the SSH client public key file from DER to PEM format:

<Steps>
  <Step>
    Run the following OpenSSL command to convert the public key exported from the CryptoHub in `DER` format to `PEM` format (as required for the **ssh-keygen** command in the next section):

    ```shell expandable lines wrap title="Shell" theme={null}
    openssl rsa -inform DER -outform PEM -in SSH.pub -out SSH_pubkey.pem -pubin
    ```
  </Step>
</Steps>

## Configure the public key

Perform the following steps to configure the SSH client public key on the SSH server and disable non-key-based modes of authentication:

<Steps>
  <Step>
    SSH requires a specific format for the public keys used within an SSH session. Run the following **ssh-keygen** command to convert the `SSH_pubkey.pem` file  from the previous command to the required SSH public key format and add it to the `~/.ssh/authorized_keys` file:

    ```shell expandable lines wrap title="Shell" theme={null}
    ssh-keygen -f SSH_pubkey.pem -i -m PKCS8 >> ~/.ssh/authorized_keys
    ```
  </Step>

  <Step>
    Run the following command to open the SSH daemon configuration file:

    <Note>
      Editing this file requires sudo privileges.
    </Note>

    ```shell expandable lines wrap title="Shell" theme={null}
    sudo vim /etc/ssh/sshd_config
    ```
  </Step>

  <Step>
    Inside the file, confirm the following directive is present:

    ```text expandable lines wrap title="Text" theme={null}
    PubkeyAuthentication yes
    ```
  </Step>

  <Step>
    Optionally, you can also set the following directives to make the SSH daemon only respond to SSH keys:

    ```text expandable lines wrap title="Text" theme={null}
    PasswordAuthentication no
    ChallengeResponseAuthentication no
    ```
  </Step>

  <Step>
    Save and close the file when finished. To implement these changes, restart the SSH service.

    On Ubuntu or Debian machines, run the following command:

    ```shell expandable lines wrap title="Shell" theme={null}
    sudo systemctl restart sshd
    ```

    On CentOS or Fedora machines, run the following command:

    ```shell expandable lines wrap title="Shell" theme={null}
    sudo service sshd restart
    ```
  </Step>
</Steps>
