Introduction
An SSH server can authenticate clients using a variety of different methods. The most basic of these is password authentication, which is easy to use, but not the most secure.
Although passwords are sent to the server in a secure manner, they are generally not complex or long enough to be resistant to repeated, persistent attackers.
SSH key pairs are two cryptographically secure keys that can be used to authenticate a client to an SSH server. Each key pair consists of a public key and a private key.
Step 1 — Creating SSH Keys
The first step to configure SSH key authentication to your server is to generate an SSH key pair on your local computer.
ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter file in which to save the key (/Users/username/.ssh/id_ed25519):
Enter passphrase (empty for no passphrase):
The utility will prompt you to select a location for the keys that will be generated. By default, the keys will be stored in the ~/.ssh directory within your user’s home directory. The private key will be called id_ed25519 and the associated public key will be called id_ed25519.pub.
Usually, it is best to stick with the default location at this stage. Doing so will allow your SSH client to automatically find your SSH keys when attempting to authenticate. If you would like to choose a non-standard path, type that in now, otherwise, press ENTER to accept the default.
If you had previously generated an SSH key pair, you may see a prompt that looks like this:
/home/username/.ssh/id_ed2551 already exists.
Overwrite (y/n)?
If you choose to overwrite the key on disk, you will not be able to authenticate using the previous key anymore. Be very careful when selecting yes, as this is a destructive process that cannot be reversed.
Created directory '/home/username/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Next, you will be prompted to enter a passphrase for the key.
A passphrase is optional. If you enter one, you will have to provide it every time you use this key (unless you are running SSH agent software that stores the decrypted key). You can press ENTER to bypass this prompt.
Your identification has been saved in id_ed25519
Your public key has been saved in id_ed25519.pub
The key fingerprint is:
SHA256:94gxE94XEk+6K+P816TJPO93LPuKKa/4NY4DUIIytnw username@localhost.localnet
The key's randomart image is:
+--[ED25519 256]--+
| . . . |
| + . . . = |
| o + o. o o |
| o E .. o o . |
| . .S + . |
| .* = . |
| +.oo+= . |
| o +o+B+o +|
| +o=*=+=*o|
+----[SHA256]-----+
You now have a public and private key that you can use to authenticate. The next step is to place the public key on the server so that you can use SSH key authentication to log in.
Step 2 — Copying an SSH Public Key to Your Server
There are multiple ways to upload your public key to your remote SSH server. The method you use depends largely on the tools you have available and the details of your current configuration.
Copying Your Public Key Using ssh-copy-id
The simplest way to copy your public key to an existing server is to use a utility called ssh-copy-id. Because of its simplicity, this method is recommended if available.
To use the utility, you need to specify the remote host that you would like to connect to, and the user account that you have password-based SSH access to. This is the account where your public SSH key will be copied.
ssh-copy-id username@snorlax-login.cs.uwaterloo.ca
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
username@snorlax-login.cs.uwaterloo.ca's password:
Type in the password (your typing will not be displayed for security purposes) and press ENTER. The utility will connect to the account on the remote host using the password you provided. It will then copy the contents of your ~/.ssh/id_ed25519.pub key into a file in the remote account’s home ~/.ssh directory called authorized_keys.
You will see output that looks like this:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'username@snorlax-login.cs.uwaterloo.ca'"
and check to make sure that only the key(s) you wanted were added.
At this point, your id_ed25519.pub key has been uploaded to the remote account. You can continue onto the next section.
Copying Your Public Key Using SSH
If you do not have ssh-copy-id available, but you have password-based SSH access to an account on your server, you can upload your keys using a conventional SSH method.
We can do this by outputting the content of our public SSH key on our local computer and piping it through an SSH connection to the remote server. On the other side, we can make sure that the ~/.ssh directory exists under the account we are using and then output the content we piped over into a file called authorized_keys within this directory.
We will use the >> redirect symbol to append the content instead of overwriting it. This will let us add keys without destroying previously added keys.
cat ~/.ssh/id_ed25519.pub | ssh username@snorlax-login.cs.uwaterloo.ca "cat >> ~/.ssh/authorized_keys"
username@snorlax-login.cs.uwaterloo.ca's password:
After entering your password, the content of your id_ed25519.pub key will be copied to the end of the authorized_keys file of the remote user’s account. Continue to the next section if this was successful.
Step 3 — Authenticating to Your Server Using SSH Keys
If you have successfully completed one of the procedures above, you should be able to log into the remote host without the remote account’s password.
The process is mostly the same:
ssh username@snorlax-login.cs.uwaterloo.ca
If you did not supply a passphrase for your private key, you will be logged in immediately. If you supplied a passphrase for the private key when you created the key, you will be required to enter it now. Afterwards, a new shell session will be created for you with the account on the remote system.