Using key-based authentication for SSH adds another layer of security to your SSH services, compare to plain password authentication which could be guessed by brute force attack.
This document is intended to end user who wants better security and understanding of SSH authentication.
This document applies to POSIX compatible systems like Linux or UNIX running OpenSSH server and client software. This document has been validated with the following operating systems:
Other OS versions could apply, but have not been validated. No administrative rights are necessary.
All user commands will be written in Courier New font, and will start with a '$' symbol that should not be reproduced when typing the commands. This symbol represents the SHELL prompt character. The commands will be given for a BASH syntax shell.
The principle of a public/private key pair is one key is public but paired to the private key that should never be send to someone else. One installs the public key to the destination SSH server, and upon connection the public and private key will try to be matched, if they do the connection is allowed.
To start you need to generate your private and public key, this is done by using the
$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/ubuntu/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/ubuntu/.ssh/id_rsa. Your public key has been saved in /home/ubuntu/.ssh/id_rsa.pub.
It is possible that on some UNIX variant, like Solaris or OpenSolaris, you need to specify one mandatory parameter for ssk-keygen: the key type. On most Linux, BSD and Mac OS X, the key type is by default RSA. To specify the key type, the command to enter is:
ssh-keygen -t rsa.
Two files have been generated, the private key (
~/.ssh/id_rsa) that you should keep secret, it is advised also to backup it ; and the public key (
~/.ssh/id_rsa.pub) that you can share with the server to allow your authentication.
You can use SSH to deploy the key if password authentication is still allowed. You can use the following command line, though you will have to replace
<user> by the user login you are intending to use on the remote host and
<hostname> by the name (or IP address) of the remote host.
$ scp ~/.ssh/id_rsa.pub <user>@<hostname>:/home/<user>/ user@hostname's password: id_rsa.pub 100% 420 10.4KB/s 00:00
For more information on using the
scp command, please refer to the scp manual page.
Now you will have to go on the remote host (you can use again SSH is password authentication is enabled) and add the public key to the list of known and authorised keys.
$ mkdir -p .ssh $ cat id_rsa.pub >> .ssh/authorized_keys
Note: Sometimes and with older version of sshd (the SSH serveur process) the file is named authorised_key, check you sshd man page for the exact name.
You can also group the 2 commands into one single one (source: SUN Admin Guide):
$ cat ~/.ssh/id_rsa.pub | ssh <user>@<hostname> \ 'mkdir -p .ssh; cat >> .ssh/authorized_keys && echo "Key copied"'
Or you can use the
ssh-copy-id command (found in the
openssh-client package on Ubuntu) which copies your default identity public key (usually named id_rsa.pub) and install it in the file
~/.ssh/authorized_keys (creating it if necessary) (source:Ask Ubuntu #4830):
$ ssh-copy-id <user>@<hostname>
If your identity key is named differently, you can still use
ssh-copy-id but use
This section list some useful commands for better using SSH.
SSH can provide you with strong authenticity, but one needs to verify at the first connection the host fingerprint to make sure it is connecting to the right host. Or when exchanging with a third party your public keys (and doing via an untrusted medium such as the internet), you might want to exchange via a secure medium the fingerprint of your keys.
Print the fingerprint of a public key (SSH host or user key):
ssh-keygen -l -f <path-to-the-key>
Print the fingerprint of already accepted host:
ssh-keygen -l -f ~/.ssh/known_hosts -F <hostname>