cropped-phoenixignitedlogo1.png

Setup SSH Keys

Setup SSH Keys

  • June 8, 2024

SSH keys are an enhanced method of authentication for logging into remote servers via SSH. Replacing passwords, ssh keys are nearly impossible to brute force making your server’s gateway, iron proof. This tutorial goes through how ssh keys work, generating an ssh key pair, saving them to your system, copying the public key to the remote server, and then ensuring they work. We also cover prohibiting password authentication via SSH at the end. Let’s dive!

How SSH Keys Work

SSH keys are a pair of digital keys, each pair has a public key and a private key. These keys are mathematically related, but in such a way that the public key does not reveal the value of the secret key. This is called public key or asymmetric encryption. When you log into the SSH server, the ssh server creates a digital message, cryptographically hashes the message, then encrypts the message using the ssh public key and sends the hashed message to the recipient (in this case your local machine), the recipient then decrypts the hashed message using the ssh private key, creates a new hash of the message and compares it the original hash created by the remote server, if the hashes are the same, the recipient excepts the message as authentic and an encrypted channel is established between the remote ssh server and the recipient ssh client. However how the encrypted channel is created is beyond the scope of this tutorial. 

Generate an SSH Key Pair

The first step is to generate an SSH key pair. We do this on our local machine by entering the following command: 

							
							
					ssh-keygen -t rsa -b 4096  -C  "youremail@example.com"

ssh-keygen generates the ssh key pair, -t specifies the key type in this case RSA (Rivest-Shamir-Adleman) (other types include: dsa, ecdsa, ed25519, (RSA is the standard, it is secure and compatable)), -b specifies the number of bits, in this case 4096 (standard is 2048 bits, the larger the number the more secure), and -C adds a comment to the key, in this case your email which identifies the owner of the key.

Once you generate the key it will prompt you for where to save the key to, the standard is ~/.ssh/id_rsa, however if you have multiple keys or will have multiple keys you may want to name them for your own reference. Enter the path to save the key and hit enter. 

You will also be prompted to enter passkey for accessing the ssh private key.

Once the key is saved, the terminal will output the key’s fingerprint and the key’s random art image.

Copy the SSH Key to the Remote Server

Now that you have an ssh key pair, we will copy the ssh public key to the remote server. 

							
							
					ssh-copy-id username@hostname_ip

If you saved your private key under a different name or path than the default, you will have to specify the exact path to the public key, be sure to copy the PUBLIC key not the private key to the remote server, for instance the modified command may look like: 

							
							
					ssh-copy-id -i ~/.ssh/mysshkey_id_rsa.pub username@hostname_ip

And if your ssh server is running on a non-standard port (standard is 22) such as 10000, then just add the -p port# option, for instance: 

							
							
					ssh-copy-id -i ~/.ssh/mysshkey_id_rsa.pub -p 10000 username@hostname_ip

Verify the Keys Work

To verify the keys work, open a new terminal and try logging into the server, you should be prompted for your passkey, and log in, if not, then the configuration isn’t correct.

Disable Password Authentication

Once you have copied the public key over to the remote server and VERIFIED the keys are working (you should not have to enter your ssh password to login into the remote server), it is time to disable remote ssh access to the server via password authentication. BE CAREFUL, IF YOUR KEYS ARE NOT WORKING YOU WILL BE LOCKED OUT OF YOUR SERVER FOREVER.

Begin by logging into the server via ssh, it should automatically log you in via your ssh keys (if it doesn’t, you shouldn’t be about to disable password authenticcation), now we are going to edit the ssh config file, it should be located at /etc/ssh/sshd_config, once you open the file in an editor, find the line that says PasswordAuthentication, it will be set to “yes”, you want to set it to “no”.  Once you update the PasswordAuthentication value in the sshd_config file exit the editor and restart the ssh server via the following command:

							
							
					sudo systemctl restart ssh

For instance to open the sshd_config file in nano enter: 

							
							
					sudo nano /etc/ssh/sshd_config

To save the file in nano press CTRL + O and hit enter, then CTRL + X will exit the editor.

Now just test logging into the server via password authentication to ensure it is completely deactivated. If your server still allows password authentication, look for conflicting ssh options and values, if there is another reference of PasswordAuthentication later in the sshd_config file it will override any earlier mentions, also check to see if your sshd_config file “includes” another file via reference, if so check that other file too, ensure that if PasswordAuthentication is referenced in the other file, it is set to “no”. 

That’s all you have successfully activated ssh key login to your remote server and disabled password authentication!

Walter Miely is a tech entrepreneur and CEO of Phoenix Ignited Tech You can find him on Linkedin. This material is licensed under the CC BY 4.0 License LEGAL DISCLAIMER: The content provided here is provided AS IS, and part of, or the entirety of this content may be incorrect. Please read the entireLegal Disclaimer here.

IONOS - Official Partner
Github Codepen Linkedin X-twitter Flickr Medium

+ Ave Maria +