How To Set Up SSH Keys

ssh-keys

What Are SSH Keys?

SSH keys are a more secure way of logging into a remote system than a password. They also provide the added convenience of not having remember passwords for logging in remotely. Passwords are often times poorly set or used in more than one location. Doing this leads to the chance that your password may be brute forced, leading to an attacker gaining access to your machine. SSH keys are almost impossible to brute force and can be used simply by putting a user’s SSH key on the remote machine they want to access.

Creating The SSH Key

Generate The Key

The first step is to create the SSH key pair. Open up your favorite terminal on your Unix / Linux system and enter:

ssh-keygen -t rsa

Choosing Options

You will be prompted through a series of questions before the key is generated. First you are asked the location / name of the file in which you want the generated key stored:

Enter file in which to save the key (/home/example/.ssh/id_rsa):

You can simply hit enter here as most times the default is fine. In my example above I am saving the key into my home directory of my “example” user.

Enter passphrase (empty for no passphrase):

Next you are prompted if you want to create a passphrase for your generated key. This is completely optional. Adding the passphrase as the benefit of further increasing your security. As with passwords, keys rely on the fact that the other person doesn’t have access to the password or key. If they do it defeats the entire system. Adding a passphrase to your key allows you to protect yourself more. If your key falls into the hands of an attacker, they will still be required to know the key to use it. The only actual disadvantage to adding a passphrase is having to enter a password if you want to use it.

The exact output you see on the screen when completing this task will look similar to this below

ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/example/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/example/.ssh/id_rsa.
Your public key has been saved in /Users/example/.ssh/id_rsa.pub.
The key fingerprint is:
df:d4:ee:34:da:53:7c:b9:d9:2d:96:22:20:67:60:dc [email protected]
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|                 |
|     . .         |
|      + E    .   |
|     . .S   . ...|
|      . +. o . .+|
|       + .. . +o*|
|          . .==+o|
|           ..ooo |
+-----------------+

Once this is complete the public key you generated is located at /Users/example/.ssh/id_rsa.pub and the private key is located at /Users/example/.ssh/id_rsa.

Installing Your Key On Remote System

Now that you have created your key you have to install it on a remote system to use it. There are two easy ways to copy the key to the remote system

ssh-copy-id

The easiest of the two ways is to use ssh-copy-id. All you have to do is run the command:

ssh-copy-id username@<remote server ip>

Make sure you replace both the username and ip with your server’s.

Editing Directly

Another way to copy your key to the remote system is to edit the authorized_keys file directly, pasting in your key. An easy command to do this is:

cat <location of public key> | ssh username@<remote server ip> "mkdir -p ~/.ssh && cat >>  ~/.ssh/authorized_keys"
In the event you get prompted about host verification failing you can simply enter "yes" to continue anyways. It will look something like this.
The authenticity of host '12.34.56.78 (12.34.56.78)' can't be established.
RSA key fingerprint is b1:2d:33:67:ce:35:4d:5f:f3:a8:cd:c0:c4:48:86:12.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '12.34.56.78' (RSA) to the list of known hosts.

Test It

Now that you have copied your key over to your remote system you can test to see if it is working. Simply run ssh username@<remote server ip>. If it was successful your will not be prompted for a login, unless you have chosen a passphrase for your key.

Optional Security Modification

Now that you have setup your key authentication you can further increase your server’s security by disabling the password login for root. Before doing this make sure you have verified you can login using your key.

Disable Password Authentication

Login via ssh and open up the ssh config file with your favorite text editor

sudo nano /etc/ssh/sshd_config

Find the line that reads PermitRootLogin and change the line to:

PermitRootLogin without-password

Save the file and then restart your ssh server

sudo service sshd restart

That’s it. If you have completed all of these steps you have setup SSH key authentication for your server and set yourself up to use it elsewhere as well. Your server is now much more secure.

CC BY 4.0 This work is licensed under a Creative Commons Attribution 4.0 International License.

Alex Wacker has written 16 articles

I am the founder and owner of Subnet Labs LLC. Impact VPS is one of our VPS brands. Linux, virtualizaton and the internet amaze me and I enjoy learning new things every day about them.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>