In this guide, we are going to explore how to work with ssh keys. This is generating ssh keys, adding or removing passphrase in ssh keys, getting information about ssh keys and copying the public keys to the server so we can do passwordless login.
SSH is a secure protocol used as the primary means of connecting to Linux servers remotely. It provides a text-based interface by spawning a remote shell. After connecting, all commands you type in your local terminal are sent to the remote server and executed there.
Clients generally authenticate either using passwords or SSH keys. Passwords are less secure therefore ssh keys are always recommended.
To authenticate using SSH keys, a user must have an SSH key pair on their local computer. On the remote server, the public key must be copied to a file within the user’s home directory at
~/.ssh/authorized_keys. This file contains a list of public keys, one-per-line, that are authorized to log into this account.
Generating an SSH Key Pair
Generate pub/private key combination
ssh-keygen # With options (Larger Number of Bits 4096 and file name) ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_citizix # Explicit comment ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_citizix -C citizix_key
The above commands will generate an RSA SSH key pair. If the file location is not specified, they will be located in the
.ssh hidden directory within your user’s home directory. The default files are:
~/.ssh/id_rsa: The private key. DO NOT SHARE THIS FILE!
~/.ssh/id_rsa.pub: The associated public key. This can be shared freely without consequence.
Removing or Changing the Passphrase on a Private Key
If you have generated a passphrase for your private key and wish to change or remove it, use the following commands:
ssh-keygen -p ssh-keygen -p -f ~/.ssh/id_citizix
Enter the old passphrase that you wish to change. You will then be prompted for a new passphrase, or you can just hit enter to leave empty.
Check SSH Key Fingerprint
Each SSH key pair share a single cryptographic "fingerprint" which can be used to uniquely identify the keys. To find out the fingerprint of an SSH key, type:
ssh-keygen -l ssh-keygen -l -f ~/.ssh/id_citizix
Copying your Public SSH Key to a Server
Copying the public key to a remote server will allow login without a password:
# This will prompt for a password ssh-copy-id [email protected]_host
After typing in the password, the contents of your ~/.ssh/id_rsa.pub key will be appended to the end of the user account’s ~/.ssh/authorized_keys file. You can now login without a password:
ssh [email protected]_host
Copying your Public SSH Key to a Server Without SSH-Copy-ID
If you do not have the ssh-copy-id utility available, but still have password-based SSH access to the remote server, you can copy the contents of your public key in a different way.
Copy the content to the bottom of the remote server’s
You can output the contents of the key and pipe it into the ssh command. Append to
cat ~/.ssh/id_rsa.pub | ssh [email protected]_host "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
Generate public ssh key from a private key:
ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub
Running a Single Command on a Remote Server
ssh [email protected]_host command_to_run
Logging in to a Server with a Different Port
ssh -p port_num [email protected]_host
Using a configuration file:
# File ~/.ssh/config Host remote_alias HostName remote_host Port port_num
Adding your SSH Keys to an SSH Agent to Avoid Typing the Passphrase
If you have a passphrase on your private SSH key, you will be prompted to enter the passphrase every time you use it to connect to a remote host.
To avoid having to repeatedly do this, you can run an SSH agent. This small utility stores your private key after you have entered the passphrase for the first time. It will be available for the duration of your terminal session, allowing you to connect in the future without re-entering the passphrase.
To start the SSH Agent, type the following into your local terminal session:
Now add your private key to the agent, so that it can manage your key:
ssh-add ssh-add -f ~/.ssh/id_citizix
You will have to enter your passphrase (if one is set). Afterwards, your identity file is added to the agent, allowing you to use your key to sign in without having to re-enter the passphrase again.
Forwarding your SSH Credentials to Use on a Server
If you wish to be able to connect without a password to one server from within another server, you will need to forward your SSH key information. This will allow you to authenticate to another server through the server you are connected to, using the credentials on your local computer.
You must have your SSH agent started and your SSH key added to the agent. Then connect to the first server with option
-A to forward your credentials to the server for this session
ssh -A [email protected]_host