SSH Keys
Updated: 2022.12.15Overview
Debian / Ubuntu
Secure Shell (SSH) is a software service that provides a secure remote administration protocol. SSH authentication can be done via password or public key authentication (SSH keys). For increased security, password authentication should be disabled and replaced with SSH keys.
Assumptions
- Package
openssh-server
installed on target system. - Package
openssh-client
installed on client system.
Generate SSH Keys
Start by creating a new SSH key pair on your client computer. You may choose to generate an RSA-4096 or Ed25519 key.
RSA-4096
ssh-keygen -t rsa -b 4096 -C "[email protected]"
Ed25519
ssh-keygen -t ed25519 -C "[email protected]"
When prompted, specify a filename for the key pair (default is id_rsa).
Generating public/private rsa key pair.
Enter file in which to save the key (~/.ssh/id_rsa):
After specifying a filename, enter a secure password to encrypt the private key with.
Created directory '~/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
The key will be generated and the output will look similar to the following. Two files will be created with your chosen filename: id_rsa
and id_rsa.pub
.
id_rsa
is the private key used to authenticate with; you will use this to open an SSH connection. Store this in a secure location and do not share it.id_rsa.pub
is the public key. This will be placed on the server to verify the private key when opening an SSH connection.
Your identification has been saved in ~/.ssh/id_rsa
Your public key has been saved in ~/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:k17A+VeiccFKOuc0s88KxbSl2ZhynK8pl/6YRJYA9Kw [email protected]
The key's randomart image is:
+---[RSA 4096]----+
| .o .. |
| = .. .. |
| Boo.+ . |
| .oO*# o |
| E S=^+o |
| . Ooo |
| o .+. |
| .oo=o |
| +Bo. |
+----[SHA256]-----+
Copy Public Key to Server
Once the SSH key pair as been created, the public key must be added to the authorized_keys
list on the server.
Using ssh-copy-id
OpenSSH has a built-in tool for copying SSH keys from your local system to a server. This method requires SSH access to the server.
Run the ssh-copy-id
command. Change “id_rsa.pub” to the filename chosen previously, “user” to your server username, and “serverIP” to your server’s IP address.
ssh-copy-id ~/.ssh/id_rsa.pub [email protected]
If successful, the command output will include Number of key(s) added: 1
. You can now open an SSH connection using the private key.
Using ctrl+c/v
If you cannot, or don’t want to, use the ssh-copy-id
tool, you can copy the public key to the server manually.
Display the contents of the public key file using the cat
command. Specify your chosen filename.
cat ~/.ssh/id_rsa.pub
Login to your server and create a new directory .ssh
in your server user’s home directory.
mkdir ~/.ssh
Open or create the authorized_keys
file in the .ssh
directory.
echo 'id_rsa.pub contents' >> ~/.ssh/authorized_keys
Set the ownership and permissions of the .ssh
directory so that only your server user can access it.
chown -R \$USER:\$USER ~/.ssh && chmod -R go= ~/.ssh
You can now open an SSH connection using the private key.
SSH Key Login
Now that the public key has been copied to the server, an SSH connection can be opened using the private key.
SSH Command
When logging using an SSH key, specify the SSH private key path when executing the SSH command.
ssh -i ~/.ssh/id_rsa [email protected]
Enter the password for the SSH private key when prompted and you’ll be connected.
SSH Config
To make your life easy, you can add the server to your client SSH config
file.
nano ~/.ssh/config
Below is an example of an SSH host definition. Replace the information to match your server details.
Host example-server
HostName 1.2.3.4
Port 22
User exuser
IdentityFile /home/exuser/.ssh/id_rsa
You can now open an SSH connection using the chosen Host
name; no need to specifiy user, address, or SSH key path.
ssh example-server
Enter the password for the SSH private key when prompted and you’ll be connected.
Disable Password
To gain the full security benefit of using SSH keys, you should disable password authentication on your server. Make sure you are logged in as an administrative user, via SSH key, prior to disabling password authentication. Passwords will still be used for server side tasks, such as sudo
use.
Open the /etc/ssh/sshd_config
file in your text editor of choice.
sudo nano /etc/ssh/sshd_config
Find the PasswordAuthentication
section in the configuration file. Uncomment and define no
for the two settings corresponding to passwords.
PasswordAuthentication no
PermitEmptyPasswords no
Restart the SSH service for changes to take effect.
sudo systemctl restart sshd