SSH Keys

Updated: 2022.12.15

Overview

Debian / Ubuntu

Secure Shell (SSH) is a software service that provides a secure remote administration protocol. SSH authentication can be done via password or public key authentication (SSH keys). For increased security, password authentication should be disabled and replaced with SSH keys.

Assumptions

  • Package openssh-server installed on target system.
  • Package openssh-client installed on client system.

Generate SSH Keys

Start by creating a new SSH key pair on your client computer. You may choose to generate an RSA-4096 or Ed25519 key.

RSA-4096

ssh-keygen -t rsa -b 4096 -C "[email protected]"

Ed25519

ssh-keygen -t ed25519 -C "[email protected]"

When prompted, specify a filename for the key pair (default is id_rsa).

Generating public/private rsa key pair.
Enter file in which to save the key (~/.ssh/id_rsa):

After specifying a filename, enter a secure password to encrypt the private key with.

Created directory '~/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:

The key will be generated and the output will look similar to the following. Two files will be created with your chosen filename: id_rsa and id_rsa.pub.

  • id_rsa is the private key used to authenticate with; you will use this to open an SSH connection. Store this in a secure location and do not share it.
  • id_rsa.pub is the public key. This will be placed on the server to verify the private key when opening an SSH connection.
Your identification has been saved in ~/.ssh/id_rsa
Your public key has been saved in ~/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:k17A+VeiccFKOuc0s88KxbSl2ZhynK8pl/6YRJYA9Kw [email protected]
The key's randomart image is:
+---[RSA 4096]----+
|     .o    ..    |
|       = .. ..   |
|        Boo.+ .  |
|       .oO*# o   |
|      E S=^+o    |
|       . Ooo     |
|        o .+.    |
|        .oo=o    |
|         +Bo.    |
+----[SHA256]-----+

Copy Public Key to Server

Once the SSH key pair as been created, the public key must be added to the authorized_keys list on the server.

Using ssh-copy-id

OpenSSH has a built-in tool for copying SSH keys from your local system to a server. This method requires SSH access to the server.

Run the ssh-copy-id command. Change “id_rsa.pub” to the filename chosen previously, “user” to your server username, and “serverIP” to your server’s IP address.

ssh-copy-id ~/.ssh/id_rsa.pub [email protected]

If successful, the command output will include Number of key(s) added: 1. You can now open an SSH connection using the private key.

Using ctrl+c/v

If you cannot, or don’t want to, use the ssh-copy-id tool, you can copy the public key to the server manually.

Display the contents of the public key file using the cat command. Specify your chosen filename.

cat ~/.ssh/id_rsa.pub

Login to your server and create a new directory .ssh in your server user’s home directory.

mkdir ~/.ssh

Open or create the authorized_keys file in the .ssh directory.

echo 'id_rsa.pub contents' >> ~/.ssh/authorized_keys

Set the ownership and permissions of the .ssh directory so that only your server user can access it.

chown -R \$USER:\$USER ~/.ssh && chmod -R go= ~/.ssh

You can now open an SSH connection using the private key.

SSH Key Login

Now that the public key has been copied to the server, an SSH connection can be opened using the private key.

SSH Command

When logging using an SSH key, specify the SSH private key path when executing the SSH command.

ssh -i ~/.ssh/id_rsa [email protected]

Enter the password for the SSH private key when prompted and you’ll be connected.

SSH Config

To make your life easy, you can add the server to your client SSH config file.

nano ~/.ssh/config

Below is an example of an SSH host definition. Replace the information to match your server details.

Host example-server
  HostName 1.2.3.4
  Port 22
  User exuser
  IdentityFile /home/exuser/.ssh/id_rsa

You can now open an SSH connection using the chosen Host name; no need to specifiy user, address, or SSH key path.

ssh example-server

Enter the password for the SSH private key when prompted and you’ll be connected.

Disable Password

To gain the full security benefit of using SSH keys, you should disable password authentication on your server. Make sure you are logged in as an administrative user, via SSH key, prior to disabling password authentication. Passwords will still be used for server side tasks, such as sudo use.

Open the /etc/ssh/sshd_config file in your text editor of choice.

sudo nano /etc/ssh/sshd_config

Find the PasswordAuthentication section in the configuration file. Uncomment and define no for the two settings corresponding to passwords.

PasswordAuthentication no
PermitEmptyPasswords no

Restart the SSH service for changes to take effect.

sudo systemctl restart sshd