Beginners Guide To SSH Key Management

When you connect to a server via SSH from the client (the machine you want to use to establish the connection to the server), you will be asked to authenticate using the password of the user trying to connect to the computer server.

The issue with using password authentication is that they are easy to bypass as it is so common for server admins to use simple passwords, what if you can use something better and secure?

Let me introduce you to Public Key Authentication:

Public Key Authentication works by generating an SSH key-pair, a public, and a private key. The private key resides in your client machine and the public key resides in the server you would be connecting to, so, if you connect to a server that has your public key, it will know it’s you because you are the only one that has the private key that matches it. In fact, you can transfer the public key to different servers (the ones you own) and connect to them with the private key on your client machine.

Let’s get started with SSH key management in practice, I would also show you ways to secure it more.

Generating SSH Key

To get started, you’ll first need to generate the key pair; private and public key.

The ssh-keygen command is all you need to generate the keys, go ahead and input that in your terminal:

faruq@blog:~$ ssh-keygen
Generating public/private rsa key pair.
<span style="color: #ff4136;">Enter file in which to save the key (/home/faruq/.ssh/id_rsa):</span>
<span style="color: #ff4136;">Enter passphrase (empty for no passphrase):
Enter same passphrase again:
</span>Your identification has been saved in /home/faruq/.ssh/id_rsa.
Your public key has been saved in /home/faruq/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:S2UUB3pQk/gO+Ms5YiRTi8MUJna3ay162gFhTe2kJEQ faruq@blog.devsrealm.com
The key's randomart image is:
+---[RSA 2048]----+
|   oE ...o*+.    |
|  o =oo ++.o     |
| . +o=.*..+      |
|   ...= o+.      |
|   o.o =So       |
|    *.*.o..      |
|     B.o.o       |
|    ..+.=        |
|    .+.. .       |
+----[SHA256]-----+
pascal@blog:~$

Note: All prompted messages as been highlighted red above.

  • You will be asked for the directory to save your key files, hit Enter to default to /home/user/.ssh, keep in mind that the user would be the user you are currently logged in as.
  • The next part would tell you to enter the passphrase for the key, this is optional and you can skip by hitting the enter key. I’ll recommend you give it a passphrase (make sure this is different from your system password) as this is add-on security to the keys. Once you are done, the key would be saved in your selected directory.

Before we go further, let’s undertstand the process the ssh-keygen took when generating the key:

The ssh-keygen creates a directory named .ssh in your home directory if it doesn’t already exist, and inside that directory, it will create two files, id_rsa, and id_rsa.pub.

You might have guessed what both files do by their name, the id_rsa is your private key and should never leave your machine, if it leaves your machine somehow, then the new owner can connect to your server.

The permission of the id_rsa is –rw——-, which means it can only be read or writeable by only the owner and not any other user. Learn about file/directory permission in GNU/Linux.

The id_rsa.pub is your public key and can get copied to other servers, this way, you can log in via the key-pair.

Think of the public key as a half-solved equation, so when you log in to a server that has the public key, it checks that the private key has the other equation, and if the key-pair is mathematically correct, it lets you log-in. You’ll be asked for your passphrase if you choose one during the key creation.

Transferring The Generate SSH Public Key To Other Servers

There are a couple of ways you could transfer the public keys to other servers, the best way is to utilize the ssh-copy-id command, it automatically creates an ssh directory in your directory if it didn’t already exist.

Inside that directory, a file named authorized_key is created if it didn’t already exist, and lastly, the contents of ~/.ssh/id_rsa.pub on your client machine(the machine storing the private key) are copied into the ~/.ssh/authorized_key file on the target server.

I can’t imagine doing this manually on different servers, using the ssh-copy-id simplifies the approach.

Let’s see an example of how you can utilize the ssh-copy-id command:

ssh-copy-id -i ~/.ssh/id_rsa.pub xx.xx.xx.xx

The above command would transfer the public key to the target server, replace the xx.xx… with the actual IP of the target server, and you can as well use the hostname of the server. Learn how to simplify ssh connection using a simple config file.

Once you issue the command, you will be asked to login via password, and then the key would be copied over.

Keep in mind that if you set up a passphrase during the key generation, you will be asked to enter it in order to open your public key.

If you don’t want to be inputting your password every time you connect, you can cache your passphrase the first time you use it, this way, you won’t be asked for it every time you connect.

To benefit from the password caching, you can utilize the SSH agent.

Enter the following command as the user account you are starting your connection from:

eval ($ssh-agent)

The above command will start the SSH agent and will continue to run in the background of your shell.

The next step is to open your key for your agent:

ssh-add ~/.ssh/id_rsa

You will be prompted to enter the passphrase of the key, once you’ve input the correct passphrase of the key, it would be open and you won’t need to enter it again for future connection until you shell closes or you logged out.

If you want to change the key passphrase, use the ssh-keygen -p command.

This would change an existing passphrase or add a passphrase if you don’t already have one.

That’s all for now, have fun using the ssh commands.

Comment policy: Respectful and beneficial comments are welcome with full open hands. However, all comments are manually moderated and those that doesn't relate with what the passage is saying or offensive comments would be deleted. Thanks for understanding!

Leave a Reply

Your email address will not be published. Required fields are marked *