How to create and install SSH keys from the Linux shell

Take cybersecurity seriously and use SSH keys to access remote logins. They are a safer way to connect than passwords. We’ll show you how to generate, install, and use SSH keys on Linux.

What’s wrong with passwords?

Secure Shell (SSH) is the encrypted protocol used to log into user accounts on remote Linux or Unix-like computers. Usually such user accounts are secured with passwords. When you log on to a remote computer, you must provide the username and password for the account you are logging into.

Passwords are the most common means of securing access to computer resources. Still, password-based security has its weaknesses. People choose weak passwords, share passwords, use the same password on multiple systems, and so on.

SSH keys are much more secure and, once set up, are just as easy to use as passwords.

What makes SSH keys secure?

SSH keys are created and used in pairs. The two keys are linked and cryptographically secure. One is your public key and the other is your private key. You are bound to your user account. If multiple users are using SSH keys on a single computer, each will have its own key pair.


Your private key will (usually) be installed in your home folder and the public key will be installed on the remote computer or computers that you need to access.

Your private key must be kept safe. If it is accessible to others, you are in the same situation as if they had discovered your password. A sensible – and strongly recommended – precaution is to keep your private key on your computer with a robust. to encrypt Passphrase.

The public key can be freely shared without compromising your security. It is not possible to determine what the private key is by examining the public key. The private key can encrypt messages that only the private key can decrypt.

When you make a connection request, the remote computer uses its copy of your public key to compose an encrypted message. The message contains a session ID and other metadata. Only the computer that has the private key – your computer – can decrypt this message.

Your computer will access your private key and decrypt the message. It then sends its own encrypted message back to the remote computer. This encrypted message contains, among other things, the session ID received from the remote computer.

The remote computer now knows that you must be who you say you are as only your private key can extract the session ID from the message sent to your computer.

Make sure you can access the remote computer

Make sure you can remotely connect to the remote computer and log in. This proves that your username and password have been set up to a valid account on the remote computer and that your credentials are correct.


Do not try to do anything with SSH keys until you have verified that you can use SSH with passwords to connect to the target computer.

In this example, someone with a user account named dave is on a computer called. Registered howtogeek . You will be connecting to another computer called. produce Sulaco.

You enter the following command:

ssh [email protected]

You will be asked for your password, you enter it and you will be connected to Sulaco. Your command line prompt will change to confirm this.

User Dave has connected to sulaco with ssh and a password

That is the confirmation we need. So user dave can part with Sulaco with the exit Command:

exit

User Dave separated from Sulaco

You will receive the disconnect message and your command line prompt will return to [email protected].

How to connect to an SSH server from Windows, macOS or Linux

Create a pair of SSH keys

These instructions have been tested on Ubuntu, Fedora, and Manjaro distributions of Linux. In all cases the process was identical and no new software had to be installed on the test machines.

Enter the following command to generate your SSH keys:

ssh-keygen


The generation process begins. You will be asked where to store your SSH keys. Press the Enter Button to accept the default location. The permissions on the folder secure it for your use only.

You will now be asked for a passphrase. We strongly recommend that you enter a passphrase here. And remember what it is! You can press Enter not having a passphrase, but that’s not a good idea. A passphrase that consists of three or four unrelated words that are strung together makes a very robust passphrase.

You will be asked to enter the same passphrase again to verify that you have entered what you think you have entered.

The SSH keys are generated and saved for you.

You can ignore the “randomart” displayed. Some remote computers may show you their random graphic every time they connect. The idea is that when the random graphic changes, you will be able to be suspicious of the connection as it means the SSH keys for that server have been changed.

Install the public key

We need to install your public key on Sulaco , the remote computer so that it knows that the public key is yours.


We do this with that ssh-copy-id Command. This command connects to the remote computer like the normal one ssh Command, but instead of allowing you to sign in, it broadcasts the SSH public key.

ssh-copy-id [email protected]

ssh-copy-id dave @ sulaco

Even though you will not be able to log on to the remote computer, you will still need to authenticate with a password. The remote computer must recognize which user account the new SSH key belongs to.

Note that the password you need to provide here is the password for the user account you are logging into. This is not the passphrase you just created.

When the password has been verified, ssh-copy-id transfers your public key to the remote computer.

You will be returned to the command prompt on your computer. You will not stay connected to the remote computer.

Establish connection via SSH key

Let’s follow the suggestion and try to connect to the remote computer.

ssh [email protected]


Since the connection process requires access to your private key and you have protected your SSH keys behind a passphrase, you will need to provide your passphrase in order for the connection to continue.

Dialog box

Enter Your passphrase and click the unlock button.

After entering your passphrase in a terminal session, you do not need to enter it again as long as the terminal window is open. You can connect and disconnect as many remote sessions as you want without having to re-enter your passphrase.

You can check the box for the “Automatically unlock this key when I’m logged in” option, but it will make your security less secure. If you leave your computer unattended, anyone can connect to the remote computers that have your public key.

Once you have entered your passphrase, you are connected to the remote computer.

To check the process from end to end, disconnect the exit Command and reconnect to the remote computer using the same terminal window.

ssh [email protected]

You will be connected to the remote computer without the need for a password or passphrase.

No passwords, but increased security

Cyber ​​security experts speak of a thing called security frictions. That is the little pain you have to endure for extra security. It usually takes an additional step or two to establish a safer way of working. And most of the people don’t like it. They actually prefer lower security and the absence of friction. That is human nature.


With SSH keys, you get increased security and convenience. It’s a definite win-win situation.

Related Posts