Introduction
Creating an SSH (Secure Shell) connection is essential for effectively managing a remote server. Encrypted SSH keys are access credentials used to establish a secure connection.
This guide will show you how to generate SSH keys on Ubuntu. It will also cover setting up SSH key-based authentication to connect to a remote server without a password.
Prerequisites
- A server running Ubuntu 18.04 or later.
- SSH enabled on Ubuntu.
- A user account with sudo privileges.
- Access to a terminal window/command line.
Creating SSH keys on Ubuntu
The SSH key generation process creates two keys:
- A public key, which the server uses to identify the client.
- A private key, which you will need to keep secure. The secure private key ensures that you are the only person who can encrypt the data using the public key.
Follow the steps below to create the public-private key pair.
Step 1 - Generate SSH Key Pair
Generate a pair of SSH keys on the client system. The client system is the machine that connects to the SSH server.
1. Create a directory named .ssh
in the home directory. The -p
option ensures the system does not return an error if the directory exists.
mkdir –p $HOME/.ssh
2. Change permissions of the directory to give the user read
, write
, and execute
privileges:
chmod 0700 $HOME/.ssh
3. Execute the ssh-keygen
command to create an RSA key pair.
ssh-keygen
4. When prompted, provide the path to the key file. If you press Enter without typing a file path, the key will be stored in the .ssh
directory under the default file name id_rsa
.
5. The system asks you to create a passphrase as an added layer of security. Input a memorable passphrase, and press Enter.
The output shows that the keys have been created successfully.
Alternatively, create keys using the RSA 4096 encryption for extra security:
ssh-keygen -t rsa -b 4096
Note: If a key pair with the same name exists, new keys will overwrite the information in the file, and the old keys will not work anymore.
Step 2 - Copy Public Key to Ubuntu Server
After you obtain the key pair, use the public key to authenticate the client on the server.
1. Get the IP address of the Ubuntu server you want to connect to. In the server's terminal window, enter the following command:
ip a
Find the system's IP address in the relevant network device section:
2. On the client system, use the ssh-copy-id
command to copy the identity information to the Ubuntu server. Use the -i
option to specify the key you want to share:
ssh-copy-id -i [ssh-key-location] [username]@[server-ip-address]
If this is the first time you connect to the server, you may see a message that the authenticity of the host cannot be established. Type yes and press Enter to proceed.
3. Enter the password for the server user account.
The system copies the contents of the ~/.ssh/id_rsa.pub
from the client system into the ~/.ssh/authorized_keys
file on the server.
Alternate Method to Manually Copy the SSH Key
If your system does not have the ssh-copy-id command, you can copy the key manually.
1. Use the following command to print the public key to the standard output:
cat ~/.ssh/id_rsa.pub
2. Select the entire key and press Control + Shift + C to copy it.
3. Log in to the SSH server using password authentication.
ssh [username]@[remote_host]
Note: If the password authentication is disabled on the server, you cannot establish an SSH connection manually. In this case, the only way to access the server is via a console. If you do not have console access, the server is unreachable, and the process cannot be completed.
4. Create the .ssh
directory and the authorized_keys
file on the server.
mkdir -p ~/.ssh && touch ~/.ssh/authorized_keys
5. Set the necessary permissions.
chmod -R go= ~/.ssh
6. Append the public key you copied in Step 2 of this section to the authorized_keys
file.
If you connected via SSH, use the following command:
echo "[paste-public-ssh-key-here]" >> ~/.ssh/authorized_keys
Warning: The >>
symbol is used to append content to a file. The >
symbol overwrites the file contents. Always double-check that you are using the correct symbol to avoid overwriting important data.
If you are accessing the server via console, open the authorized_keys
file in a text editor:
vi ~/.ssh/authorized_keys
Add the key manually at the bottom of the file and save the file.
Step 3 - Log in to the Remote Server
To log in to a remote server, enter the following command on the client system:
ssh [username]@[server-ip]
The system does not ask for a password since it negotiates a secure connection using the SSH keys. Enter the security passphrase.
Note: In some instances, SSH may refuse the connection and print the "Connection Refused" error. Fix this problem by referring to How to Fix the SSH "Connection Refused" Error.
Step 4 - Disable Password Authentication
The following step creates an added layer of security. If you are the only person logging into the server, you can disable password authentication. The server will only accept the login from the client with the private key that matches the stored public key.
1. Open the sshd_config
file in a text editor:
sudo nano /etc/ssh/sshd_config
2. Search the file and find the PasswordAuthentication
line.
3. Edit the file and change the value to no
:
Save the file and exit.
4. Restart the SSH service:
sudo systemctl restart ssh
The server now stops accepting passwords as an authentication method.
Conclusion
By following the instructions in this tutorial, you have set up SSH-key-based authentication on an Ubuntu server. The connection is now highly secure, using unique, encrypted SSH keys.
Learn more about SSH by reading 19 Most Common SSH Commands in Linux.