Secure Shell (SSH) is a network protocol for creating a secure connection between a client and a server. With SSH, you can run commands on remote computers, create tunnels, forward ports, and more.
SSH supports various authentication mechanisms. The two most common are password and public key authentication.
Public key authentication relies on digital signatures and is more secure and convenient than traditional password authentication.
This article explains how to generate SSH keys on Ubuntu 20.04 systems. We’ll also show you how to set up SSH key based authentication and connect to remote Linux servers without entering a password.
Generating SSH Keys on Ubuntu
Chances are, you already have an SSH key pair on your Ubuntu client machine. If you generate a new key pair, the old one will be overwritten. To check if the key files exist, run the following ls command:
ls -l ~/.ssh/id_*.pub
If the command returns something like No such file or directory or no matches found, it means the user does not have SSH keys and you can proceed to the next step and generate an SSH key pair. Otherwise, if you have an SSH key pair, you can either create existing ones or back up the old keys and create a new key pair.
To generate a new 4096 bit SSH key pair with your email as comment, run:
ssh-keygen -t rsa -b 4096 -C "[email protected]"
You will be prompted for a filename:
Enter file in which to save the key (/home/yourusername/.ssh/id_rsa):
The default location and filename should be suitable for most users. Press Enter to accept and continue.
Next, you will be prompted for a secure passphrase. Passphrase adds an extra layer of security. If you set a passphrase, you will be prompted to enter it every time you use the key to log into the remote computer.
If you don’t want to set a passphrase, press Enter.
Enter passphrase (empty for no passphrase):
All interaction looks like this:
To verify that your new SSH key pair has been generated, enter:
That’s all. You have successfully generated an SSH key pair on your Ubuntu client machine.
Copy the public key to the remote server
Now that you have your SSH key pair, the next step is to copy the public key to the remote server you want to manage.
The easiest and most recommended way to copy the public key to the server is to use the ssh-copy-id tool. On your local machine, type:
ssh-copy-id [email protected]_ip_address
You will be prompted for the remote user’s password:
[email protected]_ip_address's password:
After the user is authenticated, the public key ~ / .ssh / id_rsa.pub will be added to the ~ / .ssh / authorized_keys file of the remote user and the connection will be closed.
Number of key(s) added: 1 Now try logging into the machine, with: "ssh '[email protected]_ip_address'" and check to make sure that only the key(s) you wanted were added.
If for some reason the ssh-copy-id utility is not available on your local machine, use the following command to copy the public key:
cat ~/.ssh/id_rsa.pub | ssh [email protected]_ip_address "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"
Login to your server using SSH keys
After following the steps above, you will be able to log into the remote server without prompting for a password.
To test this, try logging into your server via SSH:
ssh [email protected]_ip_address
If you have not set a passphrase for the private key, you will be immediately signed in. Otherwise, you will be prompted for a passphrase.
Disable SSH Password Authentication
Disabling password authentication adds an extra layer of security to your server.
Before disabling SSH password authentication, make sure you can log into your server without a password and the user you log in with has sudo privileges.
Login to your remote server:
ssh [email protected]_ip_address
Open the SSH configuration file in a text editor:
sudo nano /etc/ssh/sshd_config
Find the following directives and change them as follows:
/ etc / ssh / sshd_config
PasswordAuthentication no ChallengeResponseAuthentication no UsePAM no
After that save the file and restart the SSH service by typing:
sudo systemctl restart ssh
At this point, password-based authentication is disabled.
We showed you how to generate a new SSH key pair and set up SSH key based authentication. You can use the same key to manage multiple remote servers. You also learned how to disable SSH password authentication and add an extra layer of security to your server.
By default, SSH listens on port 22. Changing the default SSH port reduces the risk of automated attacks. To simplify your workflow, use an SSH config file to define all of your SSH connections.
If you have any questions or feedback, do not hesitate to leave comments.