How to setup and use SSH keys
Introduction
SSH, or secure shell, is an encrypted protocol used to communicate with servers.
There are many different ways to log into an SSH server however in this article we are focusing on setting up and using SSH keys.
When you connect to a server using SSH, the client and server establish an encrypted connection to exchange data. Once this connection is established, there is an authentication phase to check the user’s credentials. With password-based authentication, the client sends the password to the server over the encrypted channel. However, this is vulnerable to brute-force attacks — an automated system can try common passwords, or various combinations of letters, words and names against your server.
With key-based authentication, you use “asymmetric encryption” and “challenge-response authentication” to authenticate users. Simply put, you generate two mathematically related keys, called “public” and “private” keys. Then, you copy the public key to the server, but you keep the private key on your local machine, safely guarded from others. Due to how these keys work, you can encrypt data only with the public key, and decrypt data with the private key.
Understanding SSH Key Pairs
A user private key is key that is kept secret by the SSH user on his/her client machine. The user must never reveal the private key to anyone, including the server (server administrator), not to compromise his/her identity.
To protect the private key, it should be generated locally on a user’s machine and stored encrypted by a passphrase. The passphrase should be long enough (that’s why it’s called passphrase, not password) to withstand a brute-force attack for a reasonably long time, in case an attacker obtains the private key file.
A user public key is a counterpart to user private key. They are generated at the same time. The user public key can be safely revealed to anyone, without compromising user identity.
To allow authorization of the user on a server, the user public key needs to be copied to the server.
The following guide is intended for Linux/Mac users, however this method does work for Windows if you have the OpenSSH feature installed.
Generating an SSH Key Pair
OpenSSH comes with a tool called ssh-keygen to generate key pairs. By default, it uses 2048-bit RSA keys. We will generate our first key pair with the command:
ssh-keygen
When you run this command, it will ask you where you want to save the key. By default, the private key is saved to ~/.ssh/id_rsa and the public key to ~/.ssh/id_rsa.pub. If you want to change the location you can enter a custom path.
In addition, to better protect your private key, it will also ask for a passphrase. If you use a passphrase, it will be used to encrypt the generated private key. This adds another layer of security if someone manages to steal your private key. However, for the purpose of this article, we won’t use a passphrase by leaving the field blank.
Now, you can verify that these files have been created, by running:
ls ~/.ssh
This lists out the files:
You can also save the key pair to a custom location with the -f argument. For example:
ssh-keygen -f ~/my-keys
Copying the public key to the server
Now that you have generated the key pair, you should copy the public key over to the server. Because public keys are used to authenticate a given user, the key lives in ~/.ssh/authorized_keys, for that user. In addition, this file should have the permission bits 400, so that other users aren’t able to read the file.
Most versions of OpenSSH come with the ssh-copy-id command, which can be used to automate this process. For this example we generated the public key in the default path. Now to copy the public key for the user kai to the server 192.168.0.26, you would use:
ssh-copy-id kai@192.168.0.26
However, if you have the key saved in a different location, you can use the -i switch to manually set the path. For example:
ssh-copy-id -i ~/my-key.pub kai@192.168.0.26
Using the SSH key to log in
Now that you have installed the key on the server, it’s time to log in. If you have the key in the default location, you can simply log in as usual:
ssh kai@192.168.0.26
If you have the private key in a custom location, you can set the path with the -i switch, for example:
ssh -i ~/my-key kai@192.168.0.26
If everything works you should be able to log in without a password. However if you set a passphrase earlier when generating your key you will have to enter that in order to decrypt it.
With the current setup, you will be able to log in to your user account with a password or the private key. However for added security it is recommended that you disable the password access option from the server.
NOTE: Before you continue, you should ensure all users who want to log in to the server have a public key configured on the server.
Disabling Password-Based Authentication
To disable password authentication, you need to edit the /etc/ssh/sshd_config file on the server. Here we’ll be using the nano editor, although you can use any other editor of your choice. If you are logged in to the server as a root user, run:
nano /etc/ssh/sshd_config
Otherwise, you can use sudo to enable you to run commands as the root user, for example:
sudo nano /etc/ssh/sshd_config
However, if you do not have sudo installed, you can get a root shell by running su and entering the root user’s password. Then, you can use the commands for the root user as above.
Once you open the file, find the line containing the “PasswordAuthentication” directive. This line will typically look like:
#PasswordAuthentication yes
If there is a # in front of the “PasswordAuthentication” line, you should remove it. Then, change the yes to a no, and then save the file and exit the editor. However, if there is no such line, you can simply add the following line to the end of /etc/ssh/sshd_config:
PasswordAuthentication no
Once you’ve saved the file, you need to restart the SSH server with the following command:
sudo service sshd restart # For older sysvinit/upstart systems
sudo systemctl restart sshd # For modern systemd-based systems
Now that password authentication is disabled, you can only login with the SSH Keys you have setup.
Managing Multiple SSH Keys
If you have multiple SSH keys for multiple servers, you have to remember the server and its corresponding key, which can become a hassle. You can specify a list of servers and keys in the ~/.ssh/config file on your local system.
As an example, if you want to configure SSH to use ~/ssh-keys/server1 when logging into 192.168.0.26, and ~/ssh-keys/server2 when logging into 192.168.0.30, you should use:
Host 192.168.0.26
IdentitiesOnly yes
IdentityFile ~/ssh-keys/server1
Host 192.168.0.30
IdentitiesOnly yes
IdentityFile ~/ssh-keys/server2
Now, when you try to log in to any of these two servers with the ssh @ command, SSH will automatically use the key defined in the configuration file. For any other server, it will fall back to the default keys or password authentication (depending on server support and the default key in use).
I hope this article helped you learn how to easily setup and use SSH keys to access your server.