Log in to the server with a public and private key
- The SSH protocol
- SSH keys are authentication credentials
- What is public key authentication – SSH key authentication
- Asymmetric Cryptography Algorithms
- Key pair: public and private
- How to set SSH keys on Linux server – Ubuntu
- Step 1: Create the RSA key pair
- Step 2: Copy the public key to the server
- Copying the public key using ssh-copy-id
- Copying the public key via SSH
- Manual copy of the public key
- Step 3: Authenticate Ubuntu Server Using SSH Keys
- Step 4: Disable password authentication on the server
If you are a webmaster or just have NERD friends or developers you have probably already heard the term SSH key. It was in 2010 the first time a friend advised me to use them to access my server, they are more secure , she said. At first the SSH keys frightened me enough and I didn’t want to “mess up my life”, I didn’t really know what they were and I had the classic fear of the unknown . For some time I have continued to use the classic pair of user and password. What an ignorant mistake … Then I discovered that ssh keys are safe and very easy to use , now I can’t do without them anymore.
Read the rest of this article to learn more about what it is and how to enable ssh key authentication.
Basically an SSH key is an SSH protocol login credential , a file containing a super-secure password. Its function is similar to that of the username and password that you use in all online services, but the keys are mainly used for the automated login processes to the server and for the implementation of single sign-on by the administrators of system and expert users .
With an ssh key, you can quickly ssh login to a server without having to type in a username and password. Comfortable and safe.
The SSH protocol
The first version of the SSH protocol was developed in the summer of 1995 by Tatu Ylonen .
Tatu Ylonen, inventor of the SSH protocol
Tatu was a researcher at the University of Helsinki who, following a sniffing attack on the university network, decided to develop a system to make the connection to a server more secure.
Asniffing attack intercepts and logs traffic transmitting over a network and can provide attackers with usernames and passwords that can then be used to gain access to critical IT resources.
Following that attack, Tatu Ylonen creating the SSH protocol (SSH.com).
Today, the SSH protocol is widely used to access systems remotely, and its strong encryption makes it ideal for performing tasks such as issuing remote commands and remotely managing network infrastructure and other vital system components. To use the SSH protocol you need to install a couple of software. Remote systems must have software called SSH daemon , and the system used to send commands and manage remote servers must have software called SSH client . These software are required to create a suitable communication channel using the SSH protocol.
Virtually every Linux system has a default SSH daemon, I’ve never had to install it on the various servers I’ve come across over the years. You just need a client like Putty or MobaXterm to connect to the server.
SSH keys are authentication credentials
The Secure Shell (SSH) protocol is used for managing networks, operating systems, and configurations. It is also within many file transfer tools such as Filezilla and configuration management tools. Every large company and data center uses it.
SSH keys are an authentication method used to gain access with an encrypted connection between systems. This protocol enables the automation that makes modern cloud services and other computer-dependent services possible and affordable. It offers convenience and greater safety when handled correctly.
Functionally SSH keys resemble passwords, they are authentication credentials. They grant access and control who can access what.
Technically, ssh keys are cryptographic keys that use a public key cryptographic system, they define who can access each system.
Authorized keys – authorized_keys are public keys that allow access.
Identity keys identify users and provide access. Identity keys are private keys used by an SSH client to authenticate when logging into an SSH server.
Authorized keys and identity keys are jointly referred to as user keys. They refer to user authentication, rather than the host keys used for host authentication.
What is public key authentication – SSH key authentication
The SSH protocol supports many authentication methods. Probably one of the most important is public key authentication for automated connections.
The reason why public key authentication should be preferred over user & password is security. Public key authentication provides cryptographic strength that even extremely long passwords cannot offer. Additionally, public key authentication is convenient as it frees users from remembering complicated passwords (or worse yet, writing them down) and allows single sign-on to be implemented on the SSH servers they connect to.
Public-key cryptography revolves around a couple of key concepts: asymmetric cryptography and key pairs.
Asymmetric Cryptography Algorithms
As with any encryption scheme, public key authentication is based on an algorithm. There are several well-researched, safe and reliable algorithms – the most common are RSA and DSA. I’ll show you how to create an RSA key shortly.
Unlike commonly known cryptographic algorithms (symmetric or secret key), public key cryptographic algorithms work with two separate keys . These two keys form a specific pair for each user.
Key pair: public and private
Each SSH key pair includes two keys:
- A public keythat is copied to SSH servers. Anyone who has a copy of the public key can encrypt the data that can only be read by the person who holds the corresponds private key. Once an SSH server receives a public key from a user and trusts it, the server marks the key as authorized in its /home/.ssh/authorized_keys file . These keys are called authorizing keys.
- A private keythat remains (only) to the user. Possession of this key is proof of the user’s identity. Only a user with a private key that matches the public key on the server will be able to authenticate successfully. Private keys must be stored and managing carefully and kept safe. The private keys used for user authentication are called identity keys.
How to set SSH keys on Linux server – Ubuntu
As we have seen SSH, or secure shell, is an encrypted protocol used to administer and communicate with servers in convenience and security. When you work with a web server like Ubuntu, chances are you will spend some time in a terminal session connected to your server via SSH. To save time, I recommend using ssh keys to access your servers faster.
In the next few paragraphs we will see how to configure SSH keys for an Ubuntu installation in three simple steps.
Step 1: Create the RSA key pair
The first step is to create a key pair (private and public) on the client computer (usually your computer). Open the shell or command prompt if you are using Windows and type the following command:
By default, the ssh-keygen command creates a 2048-bit RSA key pair, which is secure enough for most use cases (you can optionally pass the -b 4096 flag to create a key larger than 4096 bit).
After entering the command, you should see the following output:
Press ENTER to save the key pair in the /.ssh/ subdirectory in the home directory or specify an alternate path. If you have previously generated an SSH key pair, you may see the following prompt:
If you choose to overwrite the key on the disk, you will no longer be able to authenticate using the old key. Be very careful when selecting YES, as this is a destructive process that cannot be reversed. You should then see the following prompt:
Here you can optionally enter a secure passphrase to use in conjunction with the ssh key. A password adds an extra layer of security.
Alternatively, do not type anything and press ENTER to not use a password along with the ssh key. You should then see the following output:
You now have a public and private key that you can use to authenticate to the server. The next step is to place the public key on the server so that you can use SSH key-based authentication to log in.
Step 2: Copy the public key to the server
The fastest way to copy your public key to the Ubuntu host is to use a utility called ssh-copy-id . Due to its simplicity, this method is highly recommended if available. If you don’t have ssh-copy-id on your client computer, you can use one of the two alternative methods provided in this section (copy via SSH based or manual key copy).
Copying the public key using ssh-copy-id
The ssh-copy-id tool is included by default on many operating systems, so you may have it available on your local system. For this method to work, you must already have password-based SSH access to the server.
To use this tool, simply specify the remote host you want to connect to and the user account with SSH access with password. This is the account where the public SSH key will be copied to.
The syntax for copying the public key to the server is:
The following message may be displayed:
This means that the local computer does not recognize the remote host. This will happen the first time you connect to a new host. Answer “yes” and press ENTER to continue.
Next ssh-copy-id will scan your local account for the id_rsa.pub key we created earlier. When it finds the key, it will ask you for the remote user’s account password:
Type in your password (your entry will not appear for security reasons) and press ENTER. The tool will connect to the account on the remote host using the provided password. It will then copy the contents of your key ~ / .ssh / id_rsa.pub to a file in the root ~ / .ssh directory of the remote account called authorized_keys .
You should see the following output:
At this point, the id_rsa.pub key has been uploaded to the remote server. You can continue with step 3.
Copying the public key via SSH
If you don’t have ssh-copy-id but have password-based SSH access to an account on your server, you can upload your keys using a conventional SSH method.
We can do this by using the cat command to read the contents of the public SSH key on our local computer and piping it through an SSH connection to the remote server.
Let’s start by making sure the ~ / .ssh directory exists and has the correct permissions for the account we are using.
We can then generate the content we redirected to a file called authorized_keys within this directory.
For convenience we will use the >> symbol to add the contents of the key to the authorized_keyw file instead of overwriting it. This will allow us to add keys without destroying previously added keys.
The complete command looks like this:
The following message may be displayed:
This means that the local computer does not recognize the remote host. This will happen the first time you connect to a new host. Type “yes” and press ENTER to continue. Next, you will be prompting to enter the remote user account password:
After enters the password, the contents of the key id_rsa.pub will be coping to the end of the authorized_keys file of the remote user account. Continue with step 3 if the operation was successful.
Manual copy of the public key
If you do not have password-based SSH access to the available server, you will need to manually complete the above steps.
We will manually add the contents of your id_rsa.pub file to the ~ / .ssh / authorized_keys file on your remote computer.
To view the contents of the id_rsa.pub key, type this into your local computer:
You will see the contents of the key, which should look like this:
Log in to your remote host using the method you have available. Once you have access to your account on the remote server, make sure the ~ / .ssh directory exists. This command will create the directory if needed, or do nothing if it already exists:
You can now create or edit the authorized_keys file within this directory. You can add the contents of your id_rsa.pub file to the end of the authorized_keys file, creating it if necessary, using this command:
In the above command, replace public_key_string with the output of the cat ~ / .ssh / id_rsa.pub command you ran on your local system. It should start with ssh-rsa AAAA….
Finally, we will make sure that the ~ / .ssh directory and the authorized_keys file have the appropriate permissions set:
This recursively removes all “group” and “other” permissions for the ~ / .ssh / directory.
If you are using the root account to set the keys for a user account, it is also important that the ~ / .ssh directory belongs to the user and not the root:
In this tutorial our user is named johnny but you need to substitute the appropriate username in the above commands.
We can now attempt passwordless authentication with our Ubuntu server.
Step 3: Authenticate Ubuntu Server Using SSH Keys
If you have successfully completed one of the three procedures just shown, you should be able to log into the remote host without the remote account password. The basic process is the same:
If this is your first time connecting to this host (if you used the last method above), you might see something like this:
This means that the local computer does not recognize the remote host. Type “yes” and then press ENTER to continue.
If you have not provided a passphrase for the private key, you will be logges in immediately. If a passphrase was provides for the private key when the key was creates, you will be prompted to enter it now (note that keystrokes will not appear in the terminal session for security reasons). After authentication, a new shell session should open with the account configuring on the Ubuntu server.
If key-based authentication was successful, continue learning how to further secure your system by disabling password authentication.
Step 4: Disable password authentication on the server
If you were able to log into your account using SSH without a password, you have successfully configured SSH key-based authentication for your account. However, your password-based authentication mechanism is still active, which means your server is still exposing to brute force attacks.
Before completing the steps in this section, make sure you have SSH key-based authentication configured for the root account on this server or preferably have SSH key-based authentication configured for a non-root account on this server server with sudo privileges. This step will block password-based logins, so ensuring you’re still able to get administrative access is critical.
After verifying that your remote account has administrator privileges, log into your remote server with SSH keys, as root or with an account with sudo privileges. Then, open the SSH daemon configuration file:
Inside the file, look for the directive called PasswordAuthentication . This line could be commenting out. Uncomment the line and set the value to “no”. This disables the ability to log in via SSH using the account passwords and makes the server more secure from brute-force attacks :
Save and close the file when done by pressing CTRL + X, then Y to confirm saving the file, and finally ENTER to exit nano (the editor). To actually implement these changes, the sshd service must be restarting:
As a precaution, open a new terminal window and verify that the SSH service is working correctly before closing this session:
After verifying the SSH service, you can safely close all current server sessions.
The SSH daemon on your Ubuntu server now only responds to SSH keys. Password-based authentication was successfull disabled.
In this guide we have seen what the SSH protocol is for and how encrypted keys can improve the security of our server. You have created and configured SSH key-based authentication on your server which allows you to log in without providing an account password. Now you can forget your password;)
I hope this guide definitely convinces you to use ssh keys, like real NERDs. Do you have questions? Leave a comment.