Using SSH keys for logging into your system

Posted by / Sep 11, 2014 / Categories: Security / Tags: , , / 2 Comments

Using ssh keys for login is a more secure login method for logging into Unix based servers. Rather than logging in to your account using a password, you log in using a private/public key pair.

This is the same method which is used by many online git hosting facilities to allow for code upload.

Generating a new key (on Linux)

webpigeon@laptop:~/Documents/bhost$ ssh-keygen
Generating public/private rsa key pair.

If you are using Linux as your operating system on your local computer, it is very easy to generate ssh keys. The command you will need to run is “ssh-keygen“ as your normal user account. You can use the same keypair for mulitple machines (or generate different ones for different systems).

Choose a filename

Enter file in which to save the key (/home/webpigeon/.ssh/id_rsa):

It will then prompt you to provide some information. Firstly, it will ask you where you would like to save your keys. Two files will be created, a public key and a private key. The public key will have the same file name but will end in .pub, you will be saving the contents of this file onto your server. You must not share the contents of your private key and you must be kept safe. If someone were to get their hands on your private key they could log into your servers as you!

Enter a passphrase

Enter passphrase (empty for no passphrase):

Next you will prompted to enter in a passphrase. A passphrase is not required but it is good practice to use one to protect your key. This will encrypt your private key with the provided passphrase. As a result, if someone gets your private key file they will need to decrypt it before they can use it to log into your servers. This will give you time to log into your servers and remove the key which has been compromised so an attacker cannot log into your servers.

Enter same passphrase again:

You will then be prompted to enter your passphrase again, enter it exactly as you did above. Once you have done this you will be presented with some details about your key.

Your identification has been saved in blarg.
Your public key has been saved in blarg.pub.
The key fingerprint is:
ee:df:f6:84:f8:2d:01:a4:1c:22:4d:78:98:f8:88:35 webpigeon@laptop
The key's randomart image is:
+--[ RSA 2048]----+
| . *. |
| E = + . . |
| o + o o + |
|. . . o . |
| S . |
| . ... |
| . . ... |
| . ooo |
| ....ooo |
+-----------------+

The key fingerprint and the randomart image are used to identify the key, although you will not usually need to worry about these.

Copying the key to the server (the easy way)

Now that you have your key, you can use another command “ssh-copy-id” to get it onto your server. You can spesify the keyfile if you have more than one keyfile which you use. You need to put your servername (and username if it does not match your local username) after the name of the command. You will be then be prompted for your ssh password.

webpigeon@laptop:~/Documents/bhost$ ssh-copy-id webpigeon@kat.webpigeon.me.uk
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
webpigeon@kat.webpigeon.me.uk's password:

Number of key(s) added: 2

Now try logging into the machine, with:

ssh 'webpigeon@kat.webpigeon.me.uk'

and check to make sure that only the key(s) you wanted were added.

Checking that the correct keys are added

You can get your public key by using the “cat“ or “nano“ commands on the .pub file created earlier (or opening it in your favourite text editor). The default location is ~/.ssh/id_rsa.pub, so the command using the default location would be

cat ~/.ssh/id_rsa.pub

You will be checking this against a file on your server so keep it to hand.

Log into your server using ssh. You will need to check the ~/.ssh/authorised_keys file on your server (as your normal user account) to check that it contains your public key. You should also check they no keys that you don’t want to be used are present in this file. Each key should be on a seperate line in this file (keys with line breaks will not work). Your terminal may automaticlly add line breaks to the output to ensure it’s readable so check the file with a command like “nano“ to make sure it is all on one line.

You can now try logging into your server using your key. If you type

ssh username@server.example.com

you should be prompted for your passphrase (if you have set one) rather than your account password.

About the author
Joseph is a Fedora infrastructure apprentice and a PhD candidate based in England
2 comments
  • If you are using a key for the root account (which you should be), I also recommend editing /etc/ssh/sshd_config on the server.
    If you add the line:

    PermitRootLogin without-password

    This disables password authentication for the root account on the SSH Service. Only do this once you have confirmed your key works.

    Doing this is especially useful if you are worried about Password attacks on the root account.

  • Joseph says:

    Indeed, that would be a good cause of action.

    Personally, I would set permitRootLogin to no and then log in as a standard user account and su or sudo to the root account :).