What is an SSH key and how to generate one
SSH, also referred to as Secure Shell, is an administration protocol designed to help you operate your system remotely. It is mainly utilized to establish a secure connection between you and the server. Additionally, the protocol also transfers your input to the server and displays the output back on your machine, making SSH an essential tool when it comes to server management.
What is an SSH key?
As we already mentioned, SSH keys are used to authenticate and establish the connection from your machine to the server in order to establish a secure environment for file transferring, command-line execution and port forwarding.
In general, SSH functions in a similar way to passwords, however, they are much more secure due to the extra layers of security. Because of this, it is essential and recommended to use SSH keys when connecting to your server remotely.
Each SSH key consists of a public and private key pair. The public key is stored on the server and determines who can gain access to the system. The private key is sent to you separately each time you log into the remote system. You should never share your private key with anyone!
How to generate SSH keys with OpenSSH (Linux/macOS)
When it comes to creating an SSH key, It’s generally easier to generate a key if you are using Linux or Mac. This is because both operating systems have the standard OpenSSH suite of tools already installed. This also includes the ssh-keygen utility which is required in order to generate SSH key pairs.
Firstly, open up your terminal and type the following command:
$ ssh-keygen
After that, you will be asked to select a location for the keys. By default, the keys are stored in the ~/.ssh directory with the filenames id_rsa (private key) and id_rsa.pub (public key).
We recommend you keep the default locations because it will allow your SSH client to automatically locate your SSH keys upon authentication. If you would like to keep the default placement, then simply hit ENTER:
Output
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
IMPORTANT: If you have already generated a key pair before, you will be asked to confirm that you would like to overwrite the existing key with a message that will look like so:
Output
/home/user/.ssh/id_rsa already exists.
Overwrite (y/n)?
IMPORTANT: If you decide to overwrite the existing key, you won’t be able to authenticate with it anymore. If you are confident that you would like to continue and overwrite it, you can do that by typing Y and hitting ENTER.
If you decide to keep the default location, your private and public keys will be located in /home/user/.ssh/id_rsa.pub and /home/user/.ssh/id_rsa respectively as we mentioned before.
Once you select your desired location, you will be asked to enter an optional passphrase to encrypt your private key file on the disk. This step is entirely optional. However, if you decide to enter the passphrase, you will need to provide it every time you use this key. While this can be an additional extra step when logging in, we recommend doing it as it adds another layer of security. If you wish to skip this step, just press ENTER.
Output
Created directory '/home/user/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Once completed, your system will generate a pair of SSH keys.
Output
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
a9:49:EX:AM:PL:E3:3e:a9:de:4e:77:11:58:b6:90:26 user@203.0.113.0
The key's randomart image is:
+--[ RSA 2048]----+
| ..o |
| E o= . |
| o. o |
| .. |
| ..S |
| o o. |
| =o.+. |
|. =++.. |
|o=++. |
+-----------------+
That’s all - you now have a public and private key that you can use for authentication and secure connection to your server.
How to generate an SSH key pair on Windows
In order to generate an SSH key pair on your Windows machine, we recommend installing PuTTY. Once you have downloaded and installed the client, you will also get the PuTTY keygen tool, which can be used to generate SSH keys. Here’s how to do it:
- Open up the PuTTY keygen tool.
- Click on the Generate button.
- Move your cursor around inside of the gray box until you fill the green bar located above.
- Then click on the ‘Save public key’ and choose a name and location to which you want to save it.
- Click on the ‘Save private key’ button. You can also set a passphrase for your key, but similarly to Mac or Linux - is not necessary. Finally, choose a name and location to which you would like to save the private key to.
That’s it - you have successfully generated an SSH key pair.
How to use my SSH key pair to connect to my server
As we already mentioned, using SSH keys to establish an authenticated connection between you and your server is substantially more secure than doing it in any other way. To utilize your SSH key to log into your server, you will need to manually place and configure your public key, located in the /home/user/.ssh/id_rsa.pub file, onto the remote server. You should paste your public key in the authorized_keys file for the specific user.
For example, if you want to use this key to log in as the root user, you have to place your public key in /root/.ssh/authorized_keys. If you want to login as another user such as ‘example’, you will want to paste your public key in /home/example/.ssh/authorized_keys.
Once you have configured your keys, your server shouldn’t ask you for a password the next time you log in.
IMPORTANT: If your private key is not in the default directory (/home/user/.ssh/id_rsa), it will not be discovered automatically. You have to manually add the path to your private key when you log into your server. You can do so by typing in the -i parameter followed by the path of your private key such as: ssh root@your_server_ip -i /home/user/.ssh/my-key.
In order to connect to your server If you are a Mac or Linux user, you need to open up your terminal and enter the following command:
ssh {user}@{host}
This command tells your system that you want to open an encrypted Secure Shell Connection, while {user} and {host} respectively represent the account and the machine or server (which can also be an IP address or a domain name) that you are trying to access.
Once you press ENTER, you will be asked to enter the password for the account you are trying to log into. Type your password and press ENTER once again and you will be successfully logged into the remote access terminal.
If you are going to be logging in using PuTTY, you need to first open up the client. Then, navigate to the Host Name field and enter the IP address or the hostname of your server, to which you wish to connect remotely. In the Port field, enter your SSH port number. Next, click the Open button. Upon connecting to your server for the first time, you will be prompted to accept the SSH certificate.
If you are using SSH key-based authentication, you will not be asked to enter your username or password as PuTTY will automatically use your previously generated private key to authenticate your connection.