SSH – Generating and Working with ssh keys

In this guide, we are going to explore how to work with ssh keys. This is generating ssh keys, adding or removing passphrase in ssh keys, getting information about ssh keys and copying the public keys to the server so we can do passwordless login.

SSH is a secure protocol used as the primary means of connecting to Linux servers remotely. It provides a text-based interface by spawning a remote shell. After connecting, all commands you type in your local terminal are sent to the remote server and executed there.

Authentication

Clients generally authenticate either using passwords or SSH keys. Passwords are less secure therefore ssh keys are always recommended.

To authenticate using SSH keys, a user must have an SSH key pair on their local computer. On the remote server, the public key must be copied to a file within the user’s home directory at ~/.ssh/authorized_keys. This file contains a list of public keys, one-per-line, that are authorized to log into this account.

Generating an SSH Key Pair

Generate pub/private key combination

1
2
3
4
5
6
7
ssh-keygen

# With options (Larger Number of Bits 4096 and file name)
ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_citizix

# Explicit comment
ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_citizix -C citizix_key

The above commands will generate an RSA SSH key pair. If the file location is not specified, they will be located in the .ssh hidden directory within your user’s home directory. The default files are:

  • ~/.ssh/id_rsa: The private key. DO NOT SHARE THIS FILE!
  • ~/.ssh/id_rsa.pub: The associated public key. This can be shared freely without consequence.

Removing or Changing the Passphrase on a Private Key

If you have generated a passphrase for your private key and wish to change or remove it, use the following commands:

ssh-keygen -p

ssh-keygen -p -f ~/.ssh/id_citizix

Enter the old passphrase that you wish to change. You will then be prompted for a new passphrase, or you can just hit enter to leave empty.

Check SSH Key Fingerprint

Each SSH key pair share a single cryptographic “fingerprint” which can be used to uniquely identify the keys. To find out the fingerprint of an SSH key, type:

ssh-keygen -l

ssh-keygen -l -f ~/.ssh/id_citizix

Copying your Public SSH Key to a Server

Copying the public key to a remote server will allow login without a password:

# This will prompt for a password
ssh-copy-id username@remote_host

After typing in the password, the contents of your ~/.ssh/id_rsa.pub key will be appended to the end of the user account’s ~/.ssh/authorized_keys file. You can now login without a password: ssh username@remote_host

Copying your Public SSH Key to a Server Without SSH-Copy-ID

If you do not have the ssh-copy-id utility available, but still have password-based SSH access to the remote server, you can copy the contents of your public key in a different way.

  1. Copy the content to the bottom of the remote server’s ~/.ssh/authorized_keys file.

  2. You can output the contents of the key and pipe it into the ssh command. Append to ~/.ssh/authorized_keys file.

cat ~/.ssh/id_rsa.pub | ssh username@remote_host "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

More Hacks

Generate public ssh key from a private key:

ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub

Running a Single Command on a Remote Server

ssh username@remote_host command_to_run

Logging in to a Server with a Different Port

ssh -p port_num username@remote_host

Using a configuration file:

# File ~/.ssh/config
Host remote_alias
    HostName remote_host
    Port port_num

Adding your SSH Keys to an SSH Agent to Avoid Typing the Passphrase

If you have a passphrase on your private SSH key, you will be prompted to enter the passphrase every time you use it to connect to a remote host.

To avoid having to repeatedly do this, you can run an SSH agent. This small utility stores your private key after you have entered the passphrase for the first time. It will be available for the duration of your terminal session, allowing you to connect in the future without re-entering the passphrase.

To start the SSH Agent, type the following into your local terminal session:

eval $(ssh-agent)

Now add your private key to the agent, so that it can manage your key:

ssh-add

ssh-add -f ~/.ssh/id_citizix

You will have to enter your passphrase (if one is set). Afterwards, your identity file is added to the agent, allowing you to use your key to sign in without having to re-enter the passphrase again.

Forwarding your SSH Credentials to Use on a Server

If you wish to be able to connect without a password to one server from within another server, you will need to forward your SSH key information. This will allow you to authenticate to another server through the server you are connected to, using the credentials on your local computer.

You must have your SSH agent started and your SSH key added to the agent. Then connect to the first server with option -A to forward your credentials to the server for this session

ssh -A username@remote_host
comments powered by Disqus
Built with Hugo
Theme Stack designed by Jimmy