Security has reached a tipping point for the IT industry. If you’re looking for an alternative to passwords, key-based authentication in SSH might be the right solution for you. This type of authentication uses a public and private key pair to verify your identity, and it’s much more secure than a password.
In this blog post, we will discuss how to generate SSH Key Pair in Linux with detailed steps.
When you’re finished, you’ll have a solid understanding of SSH so that you can more securely remote into your Linux servers.
What are SSH Key Pairs?
SSH Key pairs are the foundation of digital security. Key pairs are based on public key infrastructure(PKI) Technology. They are used to provide secure methods for authentication. This is the reason why they’re so important to our personal life or business activities.
SSH keys always come in pairs, and every pair is made up of a private key and a public key. A public key can be known by everyone, but the private key can be known or used only by the owner. Public keys can be distributed to anyone in any mechanism. There is no need to protect the secrecy of the public key.
What are the benefits of using key authentication in SSH?
- Easy and non-interactive login. Users don’t have to type the password for every new session
- More secure compared to passwords as it works on public-private key cryptography
- More reliable
- Better authentication and authorization management
- A good solution for both small and large infrastructure
- Easy to build and maintain
What is key-based authentication in SSH?
SSH keys are used to authenticate and establish an encrypted communication channel between a client and a remote machine over the internet. The public key is stored on the system, and the private key is stored in a secure local location.
When we attempt to log in to the system, the public key is transmitted to the server, and the server uses it to verify your identity. If the keys match, we are logged in.
Generate a SSH key pair with ssh-keygen command
we are going to use the ssh-keygen command to generate SSH public and private key files. By default, these files are created in the ~/.ssh directory. You can specify a different location, and an optional password (passphrase) to access the private key file.
If an SSH key pair with the same name exists in the given location, those files are overwritten. The following command creates an SSH key pair using RSA encryption and a bit length of 4096:
ssh-keygen -m PEM -t rsa -b 4096
Understanding ssh-keygen Command in Linux
ssh-keygen command will generate two files: a private key file named id_rsa and a public key file named id_rsa.pub. The following example shows additional command options.
ssh-keygen -m PEM -t rsa -b 4096 -C “how@howtouselinux.com” -f ~/.ssh/mykeys/myprivatekey
ssh-keygen = the command used to create the keys
- -m PEM = format the key as PEM
- -t rsa = type of key to create, in this case in the RSA format
- -b 4096 = the number of bits in the key, in this case 4096
- -C “how@howtouselinux.com” = a comment appended to the end of the public key file to easily identify it. Normally an email address is used as the comment, but use whatever works best for your infrastructure.
- -f ~/.ssh/mykeys/myprivatekey = the filename of the private key file, if you choose not to use the default name. A corresponding public key file appended with .pub is generated in the same directory. The directory must exist.
Which SSH Key type is safe?
SSH protocol supports several public key types for authentication keys. The key type and key size both matter for security. Based on the difference of each SSH key type, we recommend the following ways to generate SSH key file.
- ssh-keygen -t rsa -b 4096
- ssh-keygen -t dsa
- ssh-keygen -t ecdsa -b 521
- ssh-keygen -t ed25519
Detailed Example of ssh-keygen
ssh-keygen -t rsa -m PEM -b 4096 -C “how@howtouselinux.com”
Generating public/private rsa key pair.
Enter file in which to save the key (/home/howtouselinux/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/howtouselinux/.ssh/id_rsa.
Your public key has been saved in /home/howtouselinux/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:vFfHHrpSGQBd/oNdvNiX0sG9Vh+wROlZBktNZw9AUjA how@howtouselinux.com
The key’s randomart image is:
+—[RSA 4096]—-+
| .oE=*B*+ |
| o+o.*++|
| .oo++*|
| . .B+.O|
| S o=BO.|
| . .o++o |
| . … . |
| .. . |
| .. |
+—-[SHA256]—–+
Display SSH Key with Linux Cat command
If you’re not familiar with the format of an SSH public key, we can display our public key with the following cat command. Replace ~/.ssh/id_rsa.pub with the path and filename of our own public key file if needed: cat ~/.ssh/id_rsa.pub
A typical public key value looks like this:
ssh-rsa AAAAB3NzaC1gR5mKnGpKWR…jieHsxe how@howtouselinux.com
Copy the SSH Public Key to remote Server
Once the key pair is generated, it’s time to place the public key on the server that we want to connect to. We can copy the public key into the server’s authorized_keys file with the ssh-copy-id command.
Make sure to replace the example username and address: ssh-copy-id -i keyfile how@howtouselinux
How to login Linux with SSH key?
We can add the -i flag and the path to your private key in ssh command.
For example, to invoke the private key host_key, stored in the ~/.ssh/ directory, when connecting to your account on a remote host (for example, username@howtouselinux.com), enter:
ssh -i ~/.ssh/host_key username@howtouselinux.com
We can also setup this up from ssh client configuration file.The SSH client configuration file is a text file containing keywords and arguments.
To specify which private key should be used for connections to a particular remote host, use a text editor to create a ~/.ssh/config that includes the Host and IdentityFile keywords.
For example, we can add the following lines for host www.howtouselinux.com to use the private key host_key.
Host www.howtouselinux.com
IdentityFile ~/.ssh/host_key
Understanding host fingerprint with ssh-keygen Command
If we’re connecting to the remote server for the first time, we’ll be asked to verify the host’s fingerprint. It’s tempting to simply accept the fingerprint that’s presented, but that approach exposes us to a possible person-in-the-middle attack.
We should always validate the host’s fingerprint. We need to do this only the first time we connect from a client. To obtain the host fingerprint via the portal, use the Run Command feature to execute the command ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key.pub | awk ‘{print $2}’.