Generating and using SSH-Keys for remote host authentication

Overview

SSH keys serve as a means of identifying yourself to an SSH server using public-key cryptography and challenge-response authentication. One immediate advantage this method has over traditional password authentication is that you can be authenticated by the server without ever having to send your password over the network. This is also very handy when using any type of automation as it allows for unattended server communication.

Generating SSH-keys

To generate an SSH Key on your Linux server run the command ssh-keygen. The command can take flags if you would like to customize the type of key generated as well as the signing algorithms used to generate the key. For this example we will be generating a standard 2048 bit RSA key without a passphrase. The command will prompt you for the location to store the key (Default is $HOME/.ssh/) as well as a passphrase to secure the ssh-key.

root@bck2:/etc# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx root@bck2.example.com
The key's randomart image is:
+---[RSA 2048]----+
|.  oo*%=+o..     |
|.++.oX+=. .      |
|..+ooo=. .       |
|   E.+. .o.      |
|    +   S..+     |
|     . +. =      |
|      o  = o     |
|      .o+ +      |
|       +o.       |
+----[SHA256]-----+

Copying the Public key to remote-hosts

To authenticate with a remote-host using your Public ssh-key you will use the ssh-copy-id command. Use the -i flag to specify the Public key to copy to the remote-host.

root@bck2: # ssh-copy-id -i /root/.ssh/id_rsa.pub root@10.176.18.15
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub"
The authenticity of host '10.176.18.15 (10.176.18.15)' can't be established.
ECDSA key fingerprint is SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.

Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@10.176.18.15's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'root@10.176.18.15'"
and check to make sure that only the key(s) you wanted were added.

Note: The ssh-copy-id command appends the keys to the remote-host’s .ssh/authorized_key file. 

Test that the key was copied correctly

To test that the public key was properly copied to the remote host simply ssh to the remote host.

root@bck2:/etc# ssh root@10.176.18.15
Welcome to Ubuntu 16.04.2 LTS (GNU/Linux 4.4.0-53-generic x86_64)

* Documentation:  https://help.ubuntu.com
* Management:     https://landscape.canonical.com
* Support:        https://ubuntu.com/advantage

  Get cloud support with Ubuntu Advantage Cloud Guest:
    http://www.ubuntu.com/business/services/cloud

0 packages can be updated.
0 updates are security updates.

Last login: Fri Feb 10 16:51:51 2017 from 169.46.3.91
root@bck1:~#

As you can see we were not prompted for our password when ssh-ing in to the remote host.

SSH Keys with a passphrase

Providing a passphrase for your ssh-key provides an additional layer of security but it can also cause issues when you are trying to run automated scripts that require using the protected key. The program ssh-agent does you a favor by managing your keys for you. You enter the passphrase once, and after that, ssh-agent keeps your key in its memory and pulls it up whenever it is asked for it. To have ssh-agent start managing your keys simply invoke the following command:

eval $(ssh-agent)

Once the program has started use the ssh-add command to add your public key to the agent. The ssh-add utility searches for default keynames, of which id_rsa is one, and adds them to the ssh-agent. Once you’ve typed your password, the "unlocked" key is stored with ssh-agent and can be used to authenticate against other servers.

root@bck1:~# ssh-add
Enter passphrase for /root/.ssh/id_rsa:
Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)
root@bck1:~#

Everytime you open a new terminal session you will be prompted for the keys passphrase. If you are only concerned with a few servers this is painless, but you may consider running the following commands to append your `.bash_profile` file so that ssh-agent starts with every bash session and your key is added.

echo ‘eval $(ssh-agent)’ >> ~/.bash_profile
echo ‘ssh-add’ >> ~/.bash_profile