What Are SSH Keys?
SSH keys are a more secure way of logging into a remote system than a password. They also provide the added convenience of not having remember passwords for logging in remotely. Passwords are often times poorly set or used in more than one location. Doing this leads to the chance that your password may be brute forced, leading to an attacker gaining access to your machine. SSH keys are almost impossible to brute force and can be used simply by putting a user’s SSH key on the remote machine they want to access.
Creating The SSH Key
Generate The Key
The first step is to create the SSH key pair. Open up your favorite terminal on your Unix / Linux system and enter:
ssh-keygen -t rsa
You will be prompted through a series of questions before the key is generated. First you are asked the location / name of the file in which you want the generated key stored:
Enter file in which to save the key (/home/example/.ssh/id_rsa):
You can simply hit enter here as most times the default is fine. In my example above I am saving the key into my home directory of my “example” user.
Enter passphrase (empty for no passphrase):
Next you are prompted if you want to create a passphrase for your generated key. This is completely optional. Adding the passphrase as the benefit of further increasing your security. As with passwords, keys rely on the fact that the other person doesn’t have access to the password or key. If they do it defeats the entire system. Adding a passphrase to your key allows you to protect yourself more. If your key falls into the hands of an attacker, they will still be required to know the key to use it. The only actual disadvantage to adding a passphrase is having to enter a password if you want to use it.
The exact output you see on the screen when completing this task will look similar to this below
ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/Users/example/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /Users/example/.ssh/id_rsa. Your public key has been saved in /Users/example/.ssh/id_rsa.pub. The key fingerprint is: df:d4:ee:34:da:53:7c:b9:d9:2d:96:22:20:67:60:dc [email protected] The key's randomart image is: +--[ RSA 2048]----+ | | | | | . . | | + E . | | . .S . ...| | . +. o . .+| | + .. . +o*| | . .==+o| | ..ooo | +-----------------+
Once this is complete the public key you generated is located at /Users/example/.ssh/id_rsa.pub and the private key is located at /Users/example/.ssh/id_rsa.
Installing Your Key On Remote System
Now that you have created your key you have to install it on a remote system to use it. There are two easy ways to copy the key to the remote system
The easiest of the two ways is to use ssh-copy-id. All you have to do is run the command:
ssh-copy-id [email protected]<remote server ip>
Make sure you replace both the username and ip with your server’s.
Another way to copy your key to the remote system is to edit the
authorized_keys file directly, pasting in your key. An easy command to do this is:
cat <location of public key> | ssh [email protected]<remote server ip> "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
In the event you get prompted about host verification failing you can simply enter "yes" to continue anyways. It will look something like this.
The authenticity of host '188.8.131.52 (184.108.40.206)' can't be established. RSA key fingerprint is b1:2d:33:67:ce:35:4d:5f:f3:a8:cd:c0:c4:48:86:12. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '220.127.116.11' (RSA) to the list of known hosts.
Now that you have copied your key over to your remote system you can test to see if it is working. Simply run ssh [email protected]<remote server ip>. If it was successful your will not be prompted for a login, unless you have chosen a passphrase for your key.
Optional Security Modification
Now that you have setup your key authentication you can further increase your server’s security by disabling the password login for root. Before doing this make sure you have verified you can login using your key.
Disable Password Authentication
Login via ssh and open up the ssh config file with your favorite text editor
sudo nano /etc/ssh/sshd_config
Find the line that reads
PermitRootLogin and change the line to:
Save the file and then restart your ssh server
sudo service sshd restart
That’s it. If you have completed all of these steps you have setup SSH key authentication for your server and set yourself up to use it elsewhere as well. Your server is now much more secure.
This work is licensed under a Creative Commons Attribution 4.0 International License.