Secure Shell, or SSH, is an encrypted protocol for administering and communicating with servers. When working with a Linux server, you may find yourself spending a significant amount of time in a terminal session connecting to the server using SSH.
While there are a number of other ways to log in to an SSH server, we’ll focus on setting up SSH keys in this post. SSH keys are a highly secure method of connecting to your server.
How to Use a Private Key to Login SSH
Traditional login credentials are replaced with a key pair consisting of a private and a public key in SSH keys. For server access, both keys are necessary. The private key is unique to each user and is kept on their device, where it is never shared with the server or another user.
Recommended Read: Browse privately on the web
The related public key can be freely shared without causing any harm. The public key can be used to encrypt messages that can only be decrypted with the private key. This attribute is used to verify the authenticity of the key pair.
SSH keys are also far more complicated than standard passwords, making them far more difficult to brute-force attacks.
Preparing your Server
To add an SSH key pair, execute the following command to create a hidden folder in your user account’s home directory on your cloud server.
mkdir -p ~/.ssh
Then use the command below to limit the permissions on that directory to only yourself.
chmod 700 ~/.ssh
You may now keep your SSH keys for authentication in a secure location. However, because the keys are kept in your user’s home directory, each user who wants to utilize SSH keys for authentication must repeat these procedures on their own profile.
For Linux or another OS that supports OpenSSH
Step 1 – Use the following command to generate a new key pair in a terminal.
ssh-keygen -t rsa
The key generator will ask for the location and name of the file where the key will be kept. Enter a new name or press enter to use the default. Here id_rsa is the name of our Private Key file. You can always specify a different path and name for the Private Key file. We’ll utilize the default settings for our demonstration.
Step 2 – Create a passphrase for the key when prompted (Optional)
This is a basic password that will safeguard your private key if it falls into the wrong hands. You may either enter a password or proceed without one. Press enter twice to do so. It’s worth noting that some automation tools may be unable to decrypt password-protected private keys.
We would have successfully generated our Key Pair at this point. We’re also given a ‘fingerprint’ and a ‘visual fingerprint’ of our key, which we don’t have to save.
The output will be as follows:
Step 3 – Configure the Server To Use Our Private Key
Under /home/user/.ssh, we should now have the following two files:
id_rsa : Our SSH Private Key
id_rsa.pub : Our SSH Public Key
Take note of the private key’s permissions ( id_rsa ). PERMISSIONS SHOULD ALWAYS BE 600 IN SSH Private Key Files! If not, use the chmod command to set its permission to the specified value:
chmod 600 /home/user/.ssh/id_rsa
Step 4 – The next step is to set up our Server so that we can log in with our private key. This can be done manually by connecting to the server and manually configuring everything, but there is a utility called ssh-copy-id that takes care of everything for us!
As a result, simply run to configure our Server to use our new ssh keys.
- USER is the username we want to login as onto the server
- IP is the IP address of our Server
Step 5 – With that, we can now just SSH into our server using the following command:
If you’ve previously specified a passphrase, you’ll be prompted to do so again:
Note that if you’re not using the default path and file names, you’ll need to use the -i flag to specify the private key file:
ssh -i /path/to/private/key USER@IP
As a result, we are now able to SSH into our machine using our PRIVATE KEY!
Step 6 – Set up SSH Agent to store the keys to avoid having to re-enter passphrase at every login (Optional)
To start the agent and add the private SSH key, use the instructions below.
When prompted, enter the current passcode for your key. You’ll have to supply the private key’s location and name if you saved it somewhere other than the default location and name.
After that, you may connect to your cloud server using the keys for authentication, and you just have to unlock the key after the computer restarts by repeating the last two steps.
Using PuTTYTray to generate a key pair (For Windows users)
If you’re using Windows with PuTTYTray for SSH, you can create a fresh key pair with PuTTY’s built-in key generator.
Step 1 – To get started, Install PuTTY And PuTTYgen
To convert OpenSSH keys and connect to the server through SSH, you’ll need both PuTTY and PuTTYgen. From the PuTTY Download Page, you can download these two utilities separately or as a Windows installer.
Double-click the executable in the Download folder to run the PuTTY Windows installer, then continue the installation walkthrough. Most setups will be fine with the default settings. PuTTY and PuTTYgen should now be found in the Windows Programs list.
Step 2 – Click the Keygen button at the bottom of the PuTTY Configuration window.
At the bottom of the Key Generator window, make sure that the type of key to generate is set to SSH-2 RSA. The earlier SSH-1 was the standard’s original version, however, it is now considered outdated. SSH-2 is supported by the majority of current servers and clients.
Step 3 – Click the Generate button to begin
For a few seconds, keep moving your cursor over the blank space in any way to help produce randomness until the progress is complete.
PuTTY will display the pair’s related data as well as the public key for simple copying after the keys have been finalized.
Step 4 – (Optional) For extra security, enter a key passphrase in the two empty boxes before proceeding. If someone can duplicate your key, the pass will safeguard it from illegal usage. Some automation tools, on the other hand, maybe unable to decrypt passphrase-protected private keys.
Step 5 – Save the private key by clicking the Save private key button and keeping it somewhere secure.
As long as your PC is password secured, you may put anything in your user directory. You may wish to copy the public key to your clipboard before closing the keygen, but you can always obtain it afterward. You’ll need to import your new key into the PuTTY key agent now that it’s saved on your computer.
To open the key manager in the PuTTY Configuration window, click the Agent button.
In the Key List, click Add Key, then navigate to the location where you stored the private key, select it, and click Open. If prompted, enter your key passcode.
This will import the key into your PuTTY client, but the public key must still be copied to your server.
Go to the SSH key directory by opening an SSH connection to your cloud server.
OpenSSH searches for public keys, which are called authorized_keys. So make sure this file is created.
Step 6 – Simply right-click the SSH client window and paste the public key into the file. To allow OpenSSH to read the key, make sure it’s on a single line. It’s worth noting that the key type, ssh-rsa, must also be specified, as seen in the sample below.
Save the file and close the editor once you’ve copied the public key to the permitted keys list. By login back onto your server, you can now test the public key authentication.
Instead of being prompted for your password, you should be able to log in immediately using the key. If it still doesn’t work, make sure your SSH Agent’s private key is unlocked and try again.
Connect To Server With Private Key using Putty
Launch Putty and follow the below steps to connect to the server:
- Under Session, type the remote server’s Host Name or IP address.
- Select Connection > SSH > Auth from the drop-down menu.
- For authentication, click Browse… under Authentication parameters / Private key file.
- Click Open to open the id_rsa.ppk private key.
- Finally, click Open to log in using key pair authentication to the remote server.
Turn off Password Authentication
You can disable password authentication for SSH altogether to prevent brute-forcing now that SSH key authentication has been established and tested. When you’re connected to your cloud server.
Run the following command to open the SSH configuration file.
sudo nano /etc/ssh/sshd_config
Disable clear text passwords by setting the password authentication to no.
Just to be cautious and avoid being locked out of your server, make sure public key authentication is enabled.
After that, save and close the editor. To apply these modifications, use the command below to restart the SSH service.
sudo systemctl restart sshd
With that completed, your cloud server is one step closer to being secure. Attempts to connect to your server with malicious intent will be rejected since simple passwords are not permitted and brute-forcing an RSA key is very difficult.
Always remember to keep your private keys secure. If you want to be extra secure, you may use the same key on numerous computers or generate fresh ones for each client connecting to your cloud server.
For safe access control, each user should produce their key pair and password. Even if one of the private keys is compromised, you won’t have to replace them all if you handle them properly.
Daniel Moore is the Founder & Editor-in-chief of Private-Spy, an experienced hacker, lecturer and an all-round fun guy! A writer by day and reader by night, he holds a Master’s degree in Computer applications and believes that privacy is our god given right. Daniel has been known to have published in-depth guides and tutorials that have been used by millions of people across the world.