Ubuntu is one of the most used Linux distributions worldwide.
When managing servers or requiring secure communication on Ubuntu, SSH (Secure Shell) keys are essential for robust security.
Whether you’re setting up a secure connection for the first time or looking to enhance your server’s security protocols, this tutorial will provide a detailed, step-by-step approach to generating SSH keys in Ubuntu. The idea is to ensure your data remains protected and your connections secure.
Let’s start with an introduction to SSH keys.
Table Of Contents
- What is SSH Key
- How to Generate and Configure SSH Keys on Ubuntu
- Access the Remote Server
- Set Up Passwordless SSH Login (Optional)
- Conclusion
- FAQs
What is SSH Key
Secure Shell or SSH is a network protocol that creates a secure connection between a client and a server. It provides a secure channel over an unsecured network, allowing users to securely manage systems and transfer files.
An SSH key is a credential used for initiating communication and authentication using SSH. SSH keys are primarily used to authenticate and establish secure connections between a client and a server without the need for passwords.
These keys come in pairs: a private key, kept secure and confidential by the user and a public key that can be shared freely.
How to Generate and Configure SSH Keys on Ubuntu
The process of generating SSH keys involves the formation of two distinct keys:
Public Key: This key resides on the remote server. It identifies and authenticates the client by matching it with the corresponding private key.
Private Key: This key is kept strictly confidential. It plays a vital role in the authentication process, ensuring only the right user is verified and connected to the remote server (via public key).
This setup is fundamental to securing access to your server when you generate SSH keys on Ubuntu.
The Prerequisites
Before diving into the setup of SSH keys, ensure you have the following:
- A system running the latest stable Ubuntu version
- A user account with root or sudo privileges
- Access to a remote Ubuntu server
Now, let us see how to generate a public-private key pair on Ubuntu. The process generally has the following two steps.
Generate the SSH Key Pair
On your Ubuntu client system (the system that will connect to the server), follow these steps to create an SSH key pair:
Step #1: Create the .ssh Directory (if it doesn’t exist)
Create a .ssh directory within your home directory if it doesn’t already exist. Use the -p option with the mkdir command to make sure there are no errors if the directory is already present.
# mkdir -p $HOME/.ssh
Step #2: Set Directory Permissions
Modify the permissions of the .ssh directory to permit the user to read, write, and execute rights. This is essential for proper key management.
# chmod 0700 $HOME/.ssh
Step #3: Generate the Key Pair
Run the ssh-keygen command to initiate the key generation process. Note that the ssh-keygen command generates an RSA key pair by default.
# ssh-keygen
Next, when prompted specify a location to save the key files. Pressing Enter without specifying the location will save the key in the default .ssh directory.
Following this, you will be prompted to set a passphrase for additional security.
Choose a secure and unique passphrase for enhanced security, and press Enter.
Once the key is generated, you will see a confirmation message in the terminal.
Step #4: Enhance Security with 4096-bit Keys
In addition, for enhanced security, generate keys using 4096-bit RSA encryption.
# ssh-keygen -t rsa -b 4096
Note: If a key pair already exists under the same name, creating new keys will replace the existing data in the file, rendering the old keys unusable. We strongly recommend backing up the keys before you create new ones.
Transfer the Public Key to the Ubuntu Server
Once the key pair is generated, transfer the public key to your remote Ubuntu server, allowing users to access the remote server with the key rather than the password.
You can transfer the public key via one of the following ways.
Method #1: Utilize the ssh-copy-id Script
The ssh-copy-id script simplifies the process by automatically performing the following tasks:
- Logging into the remote server via SSH.
- Creating the .ssh directory and authorized_keys file on the remote server (if they don’t exist) with appropriate permissions.
- Adding the public key to the authorized_keys file.
Next, on the client system, utilize the ssh-copy-id command to transfer the key to the remote Ubuntu server. Use the -i option to specify the SSH key’s path:
# ssh-copy-id -i [ssh-key-location] [username]@[server-ip-address]
Here,
Replace [ssh-key-location] with the path to your public SSH key.
[username] with the username on the remote server.
[server-ip-address] with the IP address of the remote server.
Note: The typical path for an SSH key is ~/.ssh/id_rsa.pub. If your public key is stored in a different location or has a different name, adjust the path as required.
Important: Only transfer the public key. Never share your private key with anyone for security reasons.
When you try to connect to the server for the first time, a message indicating that the authenticity of the host cannot be established will appear in the terminal.
Type Yes and press Enter to continue.
Next, when prompted, enter the password for the server’s user account to authorize the transfer of the SSH public key.
The system transfers the contents of the ~/.ssh/id_rsa.pub file from the client system into the ~/.ssh/authorized_keys file on the server.
Method #2: Manual Public Key Transfer
In contrast to utilizing the ssh-copy-id script to transfer the public key to the server, here we will describe an alternate method to transfer the public key.
If your system lacks the ssh-copy-id or requires more control, you can manually transfer and insert the public key into the remote server’s authorized_keys file.
Note: This method is recommended for advanced users.
Step #1: View Your Public Key
On the client system, execute this command to view the public key.
# cat ~/.ssh/id_rsa.pub
Step #2: Copy the Public Key
Highlight the entire key and copy it to the clipboard. You can use Ctrl+Shift+C for this step.
Step #3: Connect to the Remote Server (Password Required)
Log into the SSH server using the password.
# ssh [username]@[remote_host]
Replace,
[username] with your username on the server
[remote_host] with the server’s hostname or IP address
Enter the password for the remote server’s user account when prompted.
Note: If password authentication is disabled on the server, manual SSH connection setup is impossible. Remote access would then require a console connection. The server becomes inaccessible without console access, and the process cannot proceed.
Step #4: Create Directories and Files (if they don’t exist)
On the remote server, set up the .ssh directory and create the authorized_keys file:
# mkdir -p ~/.ssh && touch ~/.ssh/authorized_keys
Step #5: Set Permissions
Next, set appropriate permissions on the .ssh directory and authorized_keys file.
# chmod 700 ~/.ssh
# chmod 600 ~/.ssh/authorized_keys
Here,
chmod 700 ~/.ssh: This grants read, write, and execute permissions only to the user for the .ssh directory.
chmod 600 ~/.ssh/authorized_keys: This restricts read and write permissions only to the user for the authorized_keys file.
Step #6: Paste the Public Key
There are two ways to add the public key to the authorized_keys file:
Use echo (if connected via SSH)
Insert the public key you previously copied into the authorized_keys file on the remote server and execute the following command.
# echo 'paste-your-public-ssh-key-here' >> ~/.ssh/authorized_keys
Replace paste-your-public-ssh-key-here with your actual SSH public key.
Warning: Use the >> symbol to add content to an existing file. The > symbol replaces the entire file content. Ensure you are using the correct redirection symbol to prevent the accidental deletion of crucial data.
Use a text editor (if connected via console)
If you’re accessing the server through a console, open the authorized_keys file in a text editor. We will use Nano to demonstrate the process:
# nano ~/.ssh/authorized_keys
Paste the public key at the end of the file and save the changes.
Method #3: Use cat and SSH Simultaneously
So far we have discussed two methods to transfer the public key to the server. For advanced users, we recommend a more efficient way to transfer the public key.
Rather than manually logging into the remote server, use the cat command from your local machine to send the public key directly to the remote server’s authorized_keys file.
# cat ~/.ssh/id_rsa.pub | ssh [username]@[remote_host] "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
This command,
Reads the public key with cat ~/.ssh/id_rsa.pub
Pipes the output through SSH to the remote server.
Appends it to the authorized_keys file on the remote server.
Note: For those managing multiple servers or distributing keys across various machines, utilizing configuration management tools such as Ansible, Puppet, or SaltStack can streamline the handling of SSH keys. Each tool includes specific modules designed to manage SSH key distribution efficiently.
Access the Remote Server
Now that you have transferred the public key to the server, you can now connect to the remote server from your client system.
To connect to a remote server, execute the following command.
# ssh [username]@[server-ip]
Replace,
[username] with your username on the server
[server-ip] with the server’s IP address.
If SSH key authentication is configured, you might not be prompted for the user’s account password. However, if a passphrase protects your SSH key, you must enter it to unlock the key and proceed with authentication.
Once logged in successfully, users can access the remote server’s command line. You can then manage the server using terminal commands.
Set Up Passwordless SSH Login (Optional)
To enhance security further, you can turn off password authentication on the server, permitting access solely to clients with the matching private key.
Follow these steps to set up passwordless SSH logins on Ubuntu.
Step #1: Edit the SSH Configuration File
Access the sshd_config file on the remote server using your preferred text editor. Here, we will use Nano to edit text.
# sudo nano /etc/ssh/sshd_config
Step #2: Locate the Password Authentication Setting
Within the file, find the line:
PasswordAuthentication yes
Step #3: Disable Password Authentication
Change the line to:
PasswordAuthentication no
This disables password-based login attempts.
Step #4: Save and Exit
Press Ctrl+X to exit the editor.
When prompted, press Y to save changes.
Press Enter to confirm the filename.
Warning: Before you restart the SSH service, it’s crucial to log out and then attempt to log back in using the SSH key to verify that the key-based login functions properly. This ensures that you won’t be locked out of the server.
Step #5: Restart SSH Service
Restart the SSH service to apply the changes.
# sudo systemctl restart ssh
Conclusion
Mastering the process of generating SSH keys on Ubuntu is essential for anyone looking to enhance the security of their server communications. By following the steps outlined in this guide, you can establish a robust security protocol that safeguards your connections. This practice secures data transfer between you and your servers and streamlines your workflow by eliminating the need for passwords during login. Implementing SSH keys is a critical skill that will greatly benefit your administrative capabilities in Ubuntu.
FAQs
Q. What is the purpose of generating SSH keys on Ubuntu?
Generating SSH keys on Ubuntu provides a secure method of authenticating remote servers and services and a more secure alternative to password-based logins.
Q. How do I generate an SSH key in Ubuntu?
To generate an SSH key in Ubuntu, open a terminal and enter the command: ssh-keygen -t rsa -b 4096. This command creates a new 4096-bit RSA key pair, which is currently considered very secure.
Q. What file formats are used for SSH keys?
SSH keys typically consist of two files: a private key and a public key. The private key should be kept secure and confidential, while the public key can be shared.
Q. Can SSH keys be used for user authentication as well as server authentication?
Yes, SSH keys can authenticate both users and servers, ensuring that both the client and server verify each other’s identity.
Q. Is it necessary to use a passphrase with an SSH key?
While not mandatory, adding a passphrase to the SSH key adds a layer of security. If your private key is compromised, the passphrase prevents unauthorized use.
Q. How can I add my SSH public key to a remote Ubuntu server?
You can add your public key to a remote server by using the ssh-copy-id command followed by your username and the server’s IP address: ssh-copy-id username@server_ip_address.
Q. What should I do if I lose my SSH private key?
If you lose your private key, you will no longer be able to access servers that require that key for authentication. It is advisable to generate a new key pair and replace the public key on all servers with the new one.
Q. What are the security best practices for managing SSH keys on Ubuntu?
Best practices include using a strong passphrase, regularly rotating keys, using the latest key generation algorithms, and limiting the SSH key’s access only to necessary servers. Additionally, regularly auditing and reviewing authorized keys is crucial for maintaining security.
Q. What is a decent version of OpenSSH to use for generating SSH keys on Ubuntu?
When generating SSH keys, it’s advisable to use the most recent stable version of OpenSSH. To install or update OpenSSH on Ubuntu, you can use the command sudo apt install openssh-server.
Q. How do bit sizes affect SSH key encryption?
The bit size of an SSH key is crucial for its security. Larger bit sizes, such as 4096 bits, offer more robust encryption and significantly increase the difficulty of decryption by unauthorized parties, protecting against common brute-force attacks.
Q. What is asymmetric encryption methodology in the context of SSH keys?
Asymmetric encryption uses a pair of keys for encryption and decryption—a public key and a private key. This methodology is fundamental to SSH key encryption, enabling secure shell access by ensuring that only the holder of the private key can decrypt data encrypted by the public key.
Q. How can I protect my remote systems from common brute-force password hacking attacks?
To protect remote systems, disable password authentication on your target host and use SSH keys instead. Configure your SSH service to require keys by setting PasswordAuthentication number in your sshd_config file, which helps mitigate brute-force password attacks.
Q. How do I install OpenSSH on Ubuntu to manage SSH keys?
You can install OpenSSH on your Ubuntu system by running sudo apt install openssh-server. This command installs the necessary tools to create and manage OpenSSH certificates and secure shell access.
Q. What is the target host in SSH key configuration?
The target host refers to the remote system you wish to access securely via SSH. Configuring SSH keys involves adding your public key to the authorized_keys file on the target host to establish a secure connection.
Q. Which configuration option ensures only key-based authentication is used?
In the OpenSSH server configuration file, setting PasswordAuthentication number ensures that the server permits only key-based authentication, enhancing security.
Q. How do OpenSSH certificates improve secure shell access?
OpenSSH certificates can authenticate secure shell access more dynamic than static keys. They allow centralized management of authentication, reducing the overhead of handling keys for each user and system.
Q. How does the type of SSH connection make the connection safer?
Using SSH keys instead of passwords for connections can make your connection type much safer. This method leverages the security strengths of asymmetric encryption to prevent unauthorized access.
Q. Can I use a hardware security key with SSH?
Yes, you can use a hardware security key with SSH to further secure your connections. This is set up through SSH‘s support for hardware-based authentication, such as FIDO U2F. This method adds a physical layer of security to the authentication process, making unauthorized access even more challenging.