Language
Category
Search

What SSH keys are and how to use them instead of your network password

Learn how to generate the public and private key pair, understand their functions and the RSA and Ed25519 algorithms. How to transfer the key and authorize the connection without a password

At Terminal By Rudi Drusian Lange
Published on
Last updated

Quick reading

If you already know what you're doing and just need to remember the commands:

Shell

# creates the keys using the ed25519 algorithm
ssh-keygen -t ed25519

# transfers the key to the server
ssh-copy-id username@remote_hostname

If you want to understand what you're doing, read the text below.

SSH keys are authentication credentials

Part of the SSH (Secure Shell) protocol, the keys use the technology called PKI (public key infrastructure), which is a highly regarded authentication and encryption standard used by devices and users as a virtual identity on the digital network.

The key pair consists of a public key to be shared with the remote server, and a private key that is stored on the local computer. On a new connection, the private key is checked by the remote server using the public key.

Different algorithms are used to create authentication keys, two common ones are:

  • RSA - Highly secure, has a size of 2048 or 4096 bits and maintains greater compatibility with older operating systems.
  • Ed25519 - Newer standard. It provides the same level of security and efficiency as RSA keys, but with a smaller size of 256 bits. Its use has increased on various platforms.

Generating the key pair

This article will demonstrate the creation of an Ed25519 key, but it can also be followed to generate an RSA key.

Shell

ssh-keygen -t ed25519

Generating public/private ed25519 key pair
Enter file in which to save the key (/home/username/.ssh/id_ed25519):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_ed25519
Your public key has been saved in /home/username/.ssh/id_ed25519.pub
The key fingerprint is:
SHA256:NWi5nmnJ/wAji+J1tUH2go2qO1Pou3MjY0Ivyirzz04 username@localhost
The key's randomart image is:
+--[ED25519 256]--+
|                 |
|         o       |
|        * o      |
|       B + .     |
|   .  + S .      |
| .. .o * X       |
|..o.E o O .      |
|=oOBo. . . .     |
|**O&+.    ...    |
+----[SHA256]-----+

You will be asked where to store the key, press to keep the default path. When asked for the passphrase and its confirmation, you can leave it blank by pressing . In this case it will be possible to connect to the remote server from the local machine on which the keys were created, without entering a password.

The passphrase is a password for the private key and only differs from the traditional meaning of the word password because it is used in the process of generating the encrypted key. Its use is encouraged because it offers a second protection, since it is not enough for someone to have access to the private key without knowing the passphrase.

The decision whether to use the passphrase or not depends on the environment in which the keys will be used. On a computer where only one person has access, it may be safer not to use the secret word than in a place where other people can use it.

More than 90% of the keys created in large companies do not use passphrases, which allows processes to be automated without human interaction. Access policies are established to increase security.

The keys are created by default in the .ssh/ folder inside the user's home, the key named id_ed25519 is the private one and should be kept secret while the key named id_ed25519.pub is the public one that can be shared with the remote server.

Transferring the key to the remote server

In the example below, the -p parameter is used to indicate an alternative port and -i to point to the public key path. These parameters can be omitted to use the default options.

No exemplo abaixo o parâmetro -p é usado para indicar uma porta alternativa e o -i para apontar o caminho da chave pública. Estes parâmetros podem ser omitidos para usar as opções padrões.

ssh-copy-id -p porta_ssh -i ~/.ssh/id_ed25519.pub username@remote_server

ssh-copy-id: INFO: Source of key(s) to be installed: "/home/username/.ssh/id_ed25519.pub"
ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
username@remote_server's password:

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh -p 'ssh_port' 'username@remote_server'"
and check to make sure that only the key(s) you wanted were added.

The password of the user on the remote server will be requested to transfer the public key. If the line Number of key(s) added: 1 is displayed, it means that the key has been added successfully.

With the public key installed, the password of the remote server will no longer be requested when using SSH to login or for file transfers using the scp or rsync commands. If a passphrase was used to create the key, it must be used for each connection.

It's possible to put the password in a file so that you don't have to type it in every time you access it, but this defeats the purpose of having a secret passphrase as it will also be visible in the event of a invasion.

Test access to the remote server:

ssh username@remote_server

The SSH key is used as a credential instead of a password.

Final Thoughts

The use of SSH keys is very interesting. It can enable automation in various situations, such as a backup between servers with a scheduled time and without human interaction. It also increases security by encouraging the use of stronger passwords, since you don't have to enter them every time you log in.

Sources

This is not my original language and I don't speak it very well. I used my little knowledge and translators tools to compose the text of this article. Sorry for possible spelling or grammatical errors, suggestions for corrections are appreciated and can be sent to the contact email in the footer of the site. My intention is to share some knowledge and I hope this translation is good enough.