Not Password, Key: Fast and Secure Access to Server with SSH Keygen
If you work in the software industry, especially in DevOps or system administration teams, you may need to access multiple servers daily. Typing a username and password each time can lead to both time loss and potential security vulnerabilities. This is where SSH Keygen comes into play. SSH keys not only eliminate the need to enter password information, but they also make your connections more secure.
In this article, we will guide you step-by-step on how to create keys with SSH Keygen and how to add these keys to your servers. By following these steps, you’ll save time and ensure fast, secure access to your servers.
Why Should We Use SSH Keygen?
There are several methods to connect to servers, with the most common being the username and password method. While this approach provides secure communication through encryption during the connection, it carries certain risks. Users often choose easily memorable passwords, which can make them vulnerable to persistent attacks due to the passwords lacking sufficient strength and complexity.
Additionally, there is the risk of storing passwords in insecure environments. Given these security vulnerabilities, the SSH Keygen method emerges as a more reliable alternative compared to password authentication. SSH keys eliminate the need to enter passwords, thereby enhancing security and providing ease of use.
How Does SSH Keygen Work?
SSH key pairs consist of two cryptographically secure keys used to authenticate a client to an SSH server: the public key and the private key. These keys work together to provide a secure authentication mechanism.
- The private key is stored on the client side and holds significant importance. This key is unique to the user and must be kept secure, as it is used to connect to the server. Therefore, the security of the private key must be maintained at a high level to prevent unauthorized access.
- The public key, on the other hand, is used solely to encrypt messages that can only be decrypted by the private key. The public key is added to the server where the SSH connection will be made and is typically stored in a special file called
~/.ssh/authorized_keyson the server.
When a client attempts to establish an SSH connection to the server, the server requests proof that the client possesses the private key. If the client successfully validates this, the server creates a shell session, establishing a secure connection. This process allows for a secure and fast connection without the need for a password, relying solely on key-based authentication.
Creating a Key Pair with SSH Keygen
One of the crucial steps in enhancing security for SSH connections is for each client to generate their own SSH key pair. In this step, we will create an SSH key pair on our local computer to make server connections more secure. By using the SSH Keygen command, a 3072-bit RSA key pair will be created by default under the ~/.ssh directory, consisting of the files id_rsa (the private key) and id_rsa.pub (the public key).
Steps to Generate a Key Pair:
- Running the SSH Key Command: To create a new SSH key pair, simply execute the following command in the terminal:
ssh-copy-id username@hostnameOutput:
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):2. Specifying the Directory for Key Storage: By default, the SSH key pair is saved in the ~/.ssh directory on your local computer. However, if you wish to store it in a different directory, the terminal will prompt you for the directory where you want to save it. For general usage, it is advisable to select the default directory (~/.ssh) and press Enter to proceed.
3. Checking for Existing Key Pairs: If you already have an SSH key pair created, the terminal will give you a warning that “/home/username/.ssh/id_rsa already exists.” In this case, since the existing key pair files will be overwritten, you will not be able to connect using your old keys. Therefore, if you wish to continue connecting to servers with your old keys, you can either save the new key pair under a different name or back up the previous keys.
Output:
/home/username/.ssh/id_rsa already exists.
Overwrite (y/n)?4. Setting a Passphrase (Optional): During the key pair generation phase, the terminal will prompt you to enter a passphrase. This passphrase will only be valid on your own computer and will enhance the security of your SSH key pair. If you do not wish to enter a passphrase, you can skip this step by pressing Enter; however, setting a passphrase is recommended for added security.
Output:
Created directory '/home/username/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:After completing these steps, you will have an SSH key pair that you can use for secure and fast connections. You can proceed to the next step by adding your public key to the server to establish passwordless connections.
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa
Your public key has been saved in /home/username/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:30l2dFwRU3JCIExCwVOFdxkrSwGW6hxPxfSgHpwiUuI username@hostname
The key's randomart image is:
+---[RSA 3072]----+
| . .o+=*B*o=*B|
| . o o+++++o*o|
| E . .o=oo.+ o|
| . .oo.o + . |
| oS+. + . |
| o..+ o |
| . o |
| |
| |
+----[SHA256]-----+Steps to Add SSH Key to the Server
To enable passwordless connection by adding the public key we created on our local computer to the server, there are two main methods:
- Copying with ssh-copy-id Command This is one of the simplest methods. You can directly copy your public key to the server using the
ssh-copy-idcommand. This command adds your public key to the~/.ssh/authorized_keysfile of the server you want to connect to. The steps are as follows:
ssh-copy-id username@hostnameWhen the command runs, you will be prompted to enter the server password. After verification, the public key will be copied to the server, and you will be able to open an SSH session without needing a password on the next connection.
2. Manually Adding Public Key In this method, you need to manually log into the server and add the public key yourself. The steps are:
- Log in to the server:
ssh username@hostname- Go to the
~/.sshdirectory on the server. If the~/.sshdirectory does not exist, you can create it with the following command:
mkdir -p ~/.ssh- Copy the content of your public key from the
id_rsa.pubfile on your local computer and paste it into the~/.ssh/authorized_keysfile on the server. You can use the following command to open the file:
nano ~/.ssh/authorized_keys- After pasting the public key, save the file and exit.
After completing these steps, you will not need to enter a password when establishing an SSH connection.
Testing the Connection to the Server with SSH Key
After successfully adding the SSH key to the server, you can now test the passwordless connection. To do this, try connecting to the server using the following command:
ssh username@hostnameIf everything is configured correctly, you should not need to enter a password to log into the server. You can now establish a secure and fast connection using SSH key authentication.
Note: If you are still prompted for a password during the connection, review the following steps:
- Ensure that the
authorized_keysfile is saved in the correct location and that the public key is added correctly. - Check the file permissions: the permissions of the
~/.ssh/authorized_keysfile should typically be set to 600, and the permissions of the~/.sshdirectory should be set to 700.
With a successful test, you can now access the server without a password!
Conclusion
Using SSH Keygen for server access offers a secure and efficient alternative to traditional password authentication. By generating SSH key pairs and adding the public key to your servers, you eliminate the need to enter passwords, enhancing both security and convenience. The process involves straightforward steps: creating the key pair, adding the public key to the server, and testing the connection. With proper configuration, you can enjoy seamless and passwordless access to your servers, reducing time spent on logins while bolstering security against unauthorized access.
