SSH keys serve as a means of identifying yourself to an SSH server using public-key cryptography and challenge-response authentication. One immediate advantage this method has over traditional password authentication is that you can be authenticated by the server without ever having to send your password over the network. This is also very handy when using any type of automation as it allows for unattended server communication.
To generate an SSH Key on your Linux server run the command
ssh-keygen. The command can take flags if you would like to customize the type of key generated as well as the signing algorithms used to generate the key. For this example we will be generating a standard 2048 bit RSA key without a passphrase. The command will prompt you for the location to store the key (Default is $HOME/.ssh/) as well as a passphrase to secure the ssh-key.
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
The key's randomart image is:
|. oo*%=+o.. |
|.++.oX+=. . |
|..+ooo=. . |
| E.+. .o. |
| + S..+ |
| . +. = |
| o = o |
| .o+ + |
| +o. |
Copying the Public key to remote-hosts
To authenticate with a remote-host using your Public ssh-key you will use the
ssh-copy-id command. Use the
-i flag to specify the Public key to copy to the remote-host.
root@bck2: # ssh-copy-id -i /root/.ssh/id_rsa.pub firstname.lastname@example.org
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '10.176.18.15 (10.176.18.15)' can't be established.
ECDSA key fingerprint is SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'email@example.com'"
and check to make sure that only the key(s) you wanted were added.
Note: The ssh-copy-id command appends the keys to the remote-host’s .ssh/authorized_key file.
Test that the key was copied correctly
To test that the public key was properly copied to the remote host simply ssh to the remote host.
root@bck2:/etc# ssh firstname.lastname@example.org
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-53-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
Get cloud support with Ubuntu Advantage Cloud Guest:
0 packages can be updated.
0 updates are security updates.
Last login: Fri Feb 10 16:51:51 2017 from 18.104.22.168
As you can see we were not prompted for our password when ssh-ing in to the remote host.
SSH Keys with a passphrase
Providing a passphrase for your ssh-key provides an additional layer of security but it can also cause issues when you are trying to run automated scripts that require using the protected key. The program ssh-agent does you a favor by managing your keys for you. You enter the passphrase once, and after that, ssh-agent keeps your key in its memory and pulls it up whenever it is asked for it. To have ssh-agent start managing your keys simply invoke the following command:
Once the program has started use the
ssh-add command to add your public key to the agent. The ssh-add utility searches for default keynames, of which id_rsa is one, and adds them to the ssh-agent. Once you’ve typed your password, the "unlocked" key is stored with ssh-agent and can be used to authenticate against other servers.
Enter passphrase for /root/.ssh/id_rsa:
Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)
Everytime you open a new terminal session you will be prompted for the keys passphrase. If you are only concerned with a few servers this is painless, but you may consider running the following commands to append your `.bash_profile` file so that ssh-agent starts with every bash session and your key is added.
echo ‘eval $(ssh-agent)’ >> ~/.bash_profile
echo ‘ssh-add’ >> ~/.bash_profile