The reason behind the popularity of SSH Keys Authenticaion is because this method offers much greater security over passwords. Passwords, even long ones, do not come close to offering the cryptographic strength that is offered by a key pair. There are other benefits as well. It stops users from having to remember passwords, allows for some automation and facilitates single sign-on.
Let’s say you have two systems, a daily workstation and a server. The daily workstation would be the system you sit at and work on all day long. The server is a remote machine that offers some kind of service. For this tutorial we will refer to these systems as “workstation” and “server”.
How to Generate SSH Keys
On your workstation you want to build your ssh key. We will use the ssh-keygen command and instruct it to build an rsa key.
ssh-keygen -t rsa
You will be prompted for some information like a the name of the file to save the key and a passphrase. If you enter a passphrase you will need to use that passphrase every time you log into the remote server. This is the most secure type of connection, but for this tutorial we are going to leave the passphrase blank so we can log in without a password.
ssh-keygen command example output:
Generating public/private rsa key pair.
Enter file in which to save the key (/home/tomthumb/.ssh/id_rsa):
Created directory '/home/tomthumb/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/tomthumb/.ssh/id_rsa.
Your public key has been saved in /home/tomthumb/.ssh/id_rsa.pub.
The key fingerprint is:
The key's randomart image is:
+--[ RSA 2048]----+
| .o+ . . |
| . . + = . |
| . E = o |
| o o . |
| S o . |
| ..o . |
| ...o |
| o oo |
| o.o++. |
The keygen command will create two files. One is the private key and one is the public key (notated by .pub extension).
NOTE: It is imperative that you always secure your private key.
Publishing Public Key to Remote System
Now that you have the private and public keys generated, you need to put the public key on the remote server. The remote server keeps the public key in a file called “authorized_keys” which resides in a hidden directory within your home directory called “.ssh”. We will use scp to copy the public key from the workstation to the servers authorized_keys2 file. Of course you will need to enter your password for this scp session because the key exchange is not completed yet.
scp ~/.ssh/id_rsa.pub server:.ssh/authorized_keys2
UPDATE: You can also use a built in program called ssh-copy-id, like so:
ssh-copy-id -i ~/.ssh/id_rsa.pub username@server-fqdn
If you followed the above directions, you should now be able to log into the remote server from your workstation without using a password. If you are interested in seeing the key exchange, you can run ssh -vvv <servername>.
* Your .ssh folder and contents MUST be only readable by you. If your keys are not working try running the following command on both systems.
chmod -R 700 ~/.ssh
Setting up SSH Keys is a simple process and could save you a lot of time. Now that you have your keys configured, you can easily run a command on a remote system with SSH. I just want to express once again the importance of securing your private key. Make sure you set the permissions and never copy the private key anywhere.
You can also set up a different key pair for each system you log into. It is easy to manage using the ssh_config file. With this file you can set up per host configurations, including which identity file (key pair) to use for each host. To learn more see our article named "How to Save Per Host User Specific SSH Client Settings".
This site uses Akismet to reduce spam. Learn how your comment data is processed.