-
- Joined
- Mar 22, 2026
-
- Messages
- 355
-
- Reaction score
- 0
-
- Points
- 0
SSH (Secure Shell) keys provide a much more secure and convenient way to log into a server than traditional passwords. Instead of relying on a password that can be brute-forced, guessed, or intercepted, SSH keys use cryptographic pairs: a public key and a private key.
Understanding SSH Key Pairs
An SSH key pair consists of two files:
1. Public Key: This key can be freely shared. You place it on any server you want to access. When you try to connect, the server uses this public key to verify your identity.
2. Private Key: This key must be kept absolutely secret and secure on your local machine. It's the "proof" that you are who you say you are. If someone gains access to your private key, they can impersonate you.
The magic happens during the authentication process:
When you attempt to connect to a server, your SSH client sends a request with your private key to the server. The server, which has your corresponding public key, uses it to encrypt a challenge. Your client then decrypts this challenge using your private key and sends back the correct response. If the response is correct, authentication succeeds. This handshake ensures that your private key never leaves your local machine.
Why Use SSH Keys?
Generating Your SSH Key Pair
You'll generate your keys on your local machine (e.g., your Linux workstation, macOS, or Windows using WSL/Git Bash/PuTTYgen).
1. Open your terminal (or Git Bash on Windows).
2. Run the
*
*
*
3. Choose a file to save the key:
The default location is
4. Enter a passphrase (recommended):
You'll be prompted to enter a passphrase. This encrypts your private key on your local machine. If someone steals your private key, they still can't use it without this passphrase. Leave it empty for no passphrase (less secure, but convenient for automation).
After this, you'll see output confirming the key generation, including the key's fingerprint.
Copying Your Public Key to a Server
Once you have your key pair, you need to place the public key on the remote server you wish to access.
Method 1: Using
This is the easiest and most reliable method. It automatically connects to the server, creates the
You will be prompted for the *password* of
Method 2: Manual Copy
If
1. Retrieve your public key:
Copy the entire output, which starts with
2. Log into the remote server using password authentication:
3. Create the
4. Append your public key to
Using a text editor like
Replace
Connecting to Your Server
Once your public key is on the server, you can connect simply by:
If your private key is protected by a passphrase, you'll be prompted for it. If you used a non-default key file, specify it with
SSH Agent for Passphrase Management
Constantly typing your passphrase can be tedious. The
1. Start the agent (if not already running):
Often, your desktop environment or terminal shell starts it automatically. If not:
2. Add your private key to the agent:
You'll be prompted for your passphrase one last time.
Now you can
Disabling Password Authentication (Highly Recommended)
For maximum security, once you've confirmed SSH key access works, you should disable password authentication on your server. This prevents any attempts to brute-force passwords.
1. Log into your server via SSH key.
2. Edit the SSH daemon configuration file:
3. Find and modify these lines:
Ensure these lines are uncommented (no
4. Restart the SSH service:
Crucial Warning: DO NOT disable password authentication until you have verified that key-based authentication works perfectly. If you disable it prematurely and your key access fails, you will be locked out of your server. Always test your key access from a *new* terminal session before restarting
By following these steps, you can significantly enhance the security and convenience of your server access.
Understanding SSH Key Pairs
An SSH key pair consists of two files:
1. Public Key: This key can be freely shared. You place it on any server you want to access. When you try to connect, the server uses this public key to verify your identity.
2. Private Key: This key must be kept absolutely secret and secure on your local machine. It's the "proof" that you are who you say you are. If someone gains access to your private key, they can impersonate you.
The magic happens during the authentication process:
When you attempt to connect to a server, your SSH client sends a request with your private key to the server. The server, which has your corresponding public key, uses it to encrypt a challenge. Your client then decrypts this challenge using your private key and sends back the correct response. If the response is correct, authentication succeeds. This handshake ensures that your private key never leaves your local machine.
Why Use SSH Keys?
- Enhanced Security: Keys are typically 2048-bit or 4096-bit RSA/DSA/ECDSA/Ed25519, making them virtually impossible to brute-force compared to even strong passwords.
- No Password Fatigue: No need to remember complex passwords for each server.
- Automation Friendly: Ideal for scripting and automated deployments where password prompts are problematic.
- Passphrase Protection: Your private key can optionally be encrypted with a passphrase, adding another layer of security.
Generating Your SSH Key Pair
You'll generate your keys on your local machine (e.g., your Linux workstation, macOS, or Windows using WSL/Git Bash/PuTTYgen).
1. Open your terminal (or Git Bash on Windows).
2. Run the
ssh-keygen command:
Code:
bash
ssh-keygen -t ed25519 -b 4096 -C "your_email@example.com"-t ed25519: Specifies the type of key to create. ed25519 is generally recommended for its security and performance. rsa is also common (-t rsa -b 4096 for 4096-bit RSA keys).*
-b 4096: Specifies the number of bits in the key (for RSA keys). Ed25519 has a fixed length.*
-C "your_email@example.com": Adds a comment to the public key, useful for identifying keys later.3. Choose a file to save the key:
The default location is
~/.ssh/id_ed25519 (private key) and ~/.ssh/id_ed25519.pub (public key). Press Enter to accept the default or specify a new path. It's often good practice to use different keys for different purposes, e.g., ~/.ssh/id_work.4. Enter a passphrase (recommended):
You'll be prompted to enter a passphrase. This encrypts your private key on your local machine. If someone steals your private key, they still can't use it without this passphrase. Leave it empty for no passphrase (less secure, but convenient for automation).
Code:
Enter passphrase (empty for no passphrase): [type your passphrase]
Enter same passphrase again: [type your passphrase again]After this, you'll see output confirming the key generation, including the key's fingerprint.
Copying Your Public Key to a Server
Once you have your key pair, you need to place the public key on the remote server you wish to access.
Method 1: Using
ssh-copy-id (Recommended)This is the easiest and most reliable method. It automatically connects to the server, creates the
~/.ssh directory if it doesn't exist, sets correct permissions, and appends your public key to ~/.ssh/authorized_keys.
Bash:
ssh-copy-id -i ~/.ssh/id_ed25519.pub user@remote_host- Replace
~/.ssh/id_ed25519.pubwith the path to your public key if you didn't use the default. - Replace
userwith your username on the remote server. - Replace
remote_hostwith the IP address or hostname of your server.
You will be prompted for the *password* of
user@remote_host (the server's password, not your key passphrase) to complete the copy.Method 2: Manual Copy
If
ssh-copy-id isn't available or you prefer to do it manually:1. Retrieve your public key:
Code:
bash
cat ~/.ssh/id_ed25519.pubssh-ed25519 and ends with your comment.2. Log into the remote server using password authentication:
Code:
bash
ssh user@remote_host3. Create the
.ssh directory and authorized_keys file (if they don't exist) and set permissions:
Code:
bash
mkdir -p ~/.ssh
chmod 700 ~/.ssh
touch ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys4. Append your public key to
authorized_keys:Using a text editor like
nano or vi, or by piping the key:
Code:
bash
echo "PASTE_YOUR_PUBLIC_KEY_HERE" >> ~/.ssh/authorized_keys"PASTE_YOUR_PUBLIC_KEY_HERE" with the actual public key string you copied earlier.Connecting to Your Server
Once your public key is on the server, you can connect simply by:
Bash:
ssh user@remote_host-i:
Bash:
ssh -i ~/.ssh/id_work user@remote_hostSSH Agent for Passphrase Management
Constantly typing your passphrase can be tedious. The
ssh-agent is a program that holds your private keys in memory after you've entered the passphrase once, allowing you to connect to multiple servers without re-entering it for the duration of your session.1. Start the agent (if not already running):
Often, your desktop environment or terminal shell starts it automatically. If not:
Code:
bash
eval "$(ssh-agent -s)"2. Add your private key to the agent:
Code:
bash
ssh-add ~/.ssh/id_ed25519Now you can
ssh to any server configured with this public key without typing the passphrase again until you log out or restart your machine.Disabling Password Authentication (Highly Recommended)
For maximum security, once you've confirmed SSH key access works, you should disable password authentication on your server. This prevents any attempts to brute-force passwords.
1. Log into your server via SSH key.
2. Edit the SSH daemon configuration file:
Code:
bash
sudo nano /etc/ssh/sshd_config3. Find and modify these lines:
Code:
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no # Sometimes needs to be 'no' if you have issues# at the beginning).4. Restart the SSH service:
Code:
bash
sudo systemctl restart sshd
# Or for older systems:
# sudo service ssh restartCrucial Warning: DO NOT disable password authentication until you have verified that key-based authentication works perfectly. If you disable it prematurely and your key access fails, you will be locked out of your server. Always test your key access from a *new* terminal session before restarting
sshd.By following these steps, you can significantly enhance the security and convenience of your server access.