-
- Joined
- Mar 22, 2026
-
- Messages
- 350
-
- Reaction score
- 0
-
- Points
- 0
SSH (Secure Shell) keys provide a much more secure and convenient way to log into a server than traditional password authentication. Instead of typing a password every time, you use a pair of cryptographic keys: a private key that stays on your local machine and a public key that you place on the server you want to access.
How SSH Keys Work
When you attempt to connect to a server using SSH keys:
1. Client Request: Your local SSH client sends a connection request, along with your public key ID, to the server.
2. Server Challenge: The server checks its
3. Client Decryption: The server sends this encrypted challenge back to your client. Your client then decrypts it using your *private* key.
4. Client Response: Your client encrypts the original random string (or a hash of it) using the session key and sends it back to the server.
5. Authentication: The server decrypts the response and compares it with its original challenge. If they match, authentication is successful, and you're granted access.
This handshake ensures that only the holder of the corresponding private key can authenticate, without ever transmitting the private key itself.
Generating Your SSH Key Pair
You can generate an SSH key pair on your local machine using the
1. Open your terminal (Linux/macOS) or Git Bash/WSL (Windows).
2. Run the command:
*
*
*
3. Choose a file to save the key:
Press
4. Enter a passphrase:
Always use a strong passphrase! This encrypts your private key on your local machine, adding an extra layer of security. Even if someone gains access to your private key file, they cannot use it without the passphrase.
Once generated, you'll see something like this:
Adding Your Key to the SSH Agent
The SSH agent manages your SSH keys and stores your decrypted private key in memory, so you don't have to enter your passphrase every time you connect.
1. Start the SSH agent (if not already running):
This command starts the agent and sets the necessary environment variables.
2. Add your private key to the agent:
You will be prompted to enter your passphrase. Once entered, the key will be added to the agent for the duration of your session (or until you explicitly remove it).
Copying Your Public Key to a Server
To use your SSH key for authentication, you need to place your *public* key on the remote server.
Method 1: Using
This is the easiest and most secure way. It copies the public key, sets correct permissions, and creates the
Replace
Method 2: Manually Copying the Public Key
If
1. Display your public key:
Copy the entire output, which starts with
2. Log in to the remote server using your password:
3. Create the
4. Append your public key to
Replace
5. Exit the server:
Connecting to the Server Using SSH Keys
Once your public key is on the server, you can connect simply by:
If your private key is loaded into the SSH agent and you used a passphrase, you won't be prompted for anything. If not, you might be asked for your private key's passphrase.
Disabling Password Authentication (Highly Recommended)
After verifying that SSH key authentication works, you should disable password authentication on your server for enhanced security.
1. Log in to your server via SSH with your key.
2. Edit the SSH daemon configuration file:
3. Find and modify these lines:
Make sure these lines are uncommented (no
4. Save the file and exit the editor.
5. Restart the SSH service:
Now, only users with a valid SSH key will be able to log in.
Using SSH keys is a fundamental security practice for managing remote systems. It significantly reduces the risk of brute-force attacks and provides a seamless login experience.
How SSH Keys Work
When you attempt to connect to a server using SSH keys:
1. Client Request: Your local SSH client sends a connection request, along with your public key ID, to the server.
2. Server Challenge: The server checks its
~/.ssh/authorized_keys file for a matching public key. If found, it generates a random string and encrypts it using the public key.3. Client Decryption: The server sends this encrypted challenge back to your client. Your client then decrypts it using your *private* key.
4. Client Response: Your client encrypts the original random string (or a hash of it) using the session key and sends it back to the server.
5. Authentication: The server decrypts the response and compares it with its original challenge. If they match, authentication is successful, and you're granted access.
This handshake ensures that only the holder of the corresponding private key can authenticate, without ever transmitting the private key itself.
Generating Your SSH Key Pair
You can generate an SSH key pair on your local machine using the
ssh-keygen command.1. Open your terminal (Linux/macOS) or Git Bash/WSL (Windows).
2. Run the command:
Code:
bash
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"-t rsa: Specifies the key type (RSA is common and widely supported). Other options include ed25519 for newer, generally more secure keys.*
-b 4096: Specifies the number of bits in the key, making it stronger (4096 is recommended).*
-C "your_email@example.com": Adds a comment to the public key, useful for identifying the key later.3. Choose a file to save the key:
Code:
Enter a file in which to save the key (/home/youruser/.ssh/id_rsa):Enter to accept the default location (~/.ssh/id_rsa for the private key and ~/.ssh/id_rsa.pub for the public key). It's generally a good practice to keep them here. If you already have a key, it will prompt you to overwrite it, so be careful.4. Enter a passphrase:
Code:
Enter passphrase (empty for no passphrase):
Enter same passphrase again:Once generated, you'll see something like this:
Code:
Your identification has been saved in /home/youruser/.ssh/id_rsa
Your public key has been saved in /home/youruser/.ssh/id_rsa.pub
The key's randomart image is:
+---[RSA 4096]----+
| . . |
| o + . |
| o = . |
| . * E |
| . . S |
| . o |
| . . . |
| . |
| |
+----[SHA256]-----+Adding Your Key to the SSH Agent
The SSH agent manages your SSH keys and stores your decrypted private key in memory, so you don't have to enter your passphrase every time you connect.
1. Start the SSH agent (if not already running):
Code:
bash
eval "$(ssh-agent -s)"2. Add your private key to the agent:
Code:
bash
ssh-add ~/.ssh/id_rsaCopying Your Public Key to a Server
To use your SSH key for authentication, you need to place your *public* key on the remote server.
Method 1: Using
ssh-copy-id (Recommended)This is the easiest and most secure way. It copies the public key, sets correct permissions, and creates the
~/.ssh directory if it doesn't exist.
Bash:
ssh-copy-id username@remote_hostusername with your username on the remote server and remote_host with the server's IP address or hostname. You will be prompted for your password on the remote server *one last time*.Method 2: Manually Copying the Public Key
If
ssh-copy-id is not available or you need to do it manually:1. Display your public key:
Code:
bash
cat ~/.ssh/id_rsa.pubssh-rsa (or ssh-ed25519) and ends with your comment.2. Log in to the remote server using your password:
Code:
bash
ssh username@remote_host3. Create the
~/.ssh directory and authorized_keys file (if they don't exist) and set proper permissions:
Code:
bash
mkdir -p ~/.ssh
chmod 700 ~/.ssh
touch ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys4. Append your public key to
authorized_keys:
Code:
bash
echo "PASTE_YOUR_PUBLIC_KEY_HERE" >> ~/.ssh/authorized_keys"PASTE_YOUR_PUBLIC_KEY_HERE" with the key you copied in step 1.5. Exit the server:
Code:
bash
exitConnecting to the Server Using SSH Keys
Once your public key is on the server, you can connect simply by:
Bash:
ssh username@remote_hostDisabling Password Authentication (Highly Recommended)
After verifying that SSH key authentication works, you should disable password authentication on your server for enhanced security.
1. Log in to your server via SSH with your key.
2. Edit the SSH daemon configuration file:
Code:
bash
sudo nano /etc/ssh/sshd_config
Code:
PasswordAuthentication no
ChallengeResponseAuthentication no # Ensure this is also 'no'
UsePAM no # May also be required depending on setup# at the beginning).4. Save the file and exit the editor.
5. Restart the SSH service:
Code:
bash
sudo systemctl restart sshdUsing SSH keys is a fundamental security practice for managing remote systems. It significantly reduces the risk of brute-force attacks and provides a seamless login experience.