How to generate SSH Keys on Linux?
Publisher: Psychz Networks, July 05,2023Creating an SSH key pair is a fundamental process for securely accessing remote servers and systems. SSH (Secure Shell) key pairs consist of a public key and a private key. The public key is shared with the remote server, while the private key is kept on your local machine. In the following article we will help you create SSH keypair in few simple steps.
Requirement
Before we begin, please make sure you have the following key elements and previledges on your client and Host servers.
To create SSH keys, you typically need the following prerequisites:
-
SSH Client: Ensure that you have an SSH client installed on your local machine. Most modern operating systems, such as Linux, macOS, and Windows (with the help of third-party tools like PuTTY), come with SSH clients pre-installed.
-
Access to a Remote Server: You should have access to a remote server or system where you want to authenticate using SSH keys. You will need to log in to that server with your username and password or an existing method of authentication.
-
Permission on the Remote Server: Make sure you have sufficient permissions on the remote server to add or modify SSH authorized keys. Typically, you'll need administrative or superuser privileges (e.g., sudo) or access to your user's home directory.
With these prerequisites in place, you can proceed with generating SSH keys using the appropriate commands for your operating system.
Setup SSH Key
SSH, or secure shell, is an encrypted protocol to administer and communicate with servers. When working with a Linux server, you will spend most of your time in a terminal session connected to your server through SSH.
This guide focuses on setting up SSH keys for Linux installation. SSH keys provide a secure way of logging into your server and are recommended for all users.
Creating the Key Pair
The first step is to create a key pair on the client machine (usually your computer):
# ssh-keygen
By default, recent versions of ssh-keygen will create a 3072-bit RSA key pair, which is secure enough for most use cases (you may optionally pass in the -b 4096 flag to create a larger 4096-bit key). After entering the command, you should see the following
Generating public/private rsa key pair.
Enter file in which to save the key (/your_home/.ssh/id_rsa):
Press enter to save the key pair into the .ssh/ subdirectory in your home directory, or specify an alternate path.
You should then see the following prompt:
Enter passphrase (empty for no passphrase):
Here you optionally may enter a secure passphrase, which is highly recommended.
You should then see the output similar to the following:
Your identification has been saved in /your_home/.ssh/id_rsa
Your public key has been saved in /your_home/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:/hk7MJ5n5aiqdfTVUZr+2Qt+qCiS7BIm5Iv0dxrc3ks user@host
The key's randomart image is:+---[RSA 3072]----+
| .|
| + |
| + |
| . o . |
|o S . o |
| + o. .oo. .. .o|
|o = oooooEo+ ...o|
|.. o *o+=.*+o....|
| =+=ooB=o.... |
+----[SHA256]-----+
You now have a public and private key that you can use to authenticate. The next step is to place the public key on your server so that you can use SSH-key-based authentication to log in.
Copying the Public Key to Your Linux Server
The quickest way to copy your public key to the host is to use a utility called ssh-copy-id. Due to its simplicity, this method is highly recommended if available. Suppose you need to have ssh-copy-id available to you on your client machine. In that case, you may use one of the two alternate methods in this section (copying via password-based SSH or manually copying the key).
Copying the Public Key Using ssh-copy-id
The ssh-copy-id tool is included by default in many operating systems, so you may have it available on your local system. For this method to work, you must already have password-based SSH access to your server.
To use the utility, specify the remote host you would like to connect to and the user account to which you have password-based SSH access. This is the account to which your public SSH key will be copied.
The syntax is:
# ssh-copy-id username@remote_host
You may see the following message:
The authenticity of host '123.456.789.0' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? Yes
This means that your local computer does not recognize the remote host. This will happen the first time you connect to a new host. Type "yes" and press ENTER to continue.
Next, the utility will scan your local account for the id_rsa.pub key we created earlier. When it finds the key, it will prompt you for the password of the remote user's account:
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keysusername@123.456.789.0's password:
Type in the password (your typing will not be displayed, for security purposes) and press ENTER. The utility will connect to the account on the remote host using the password you provided. It will then copy the contents of your ~/.ssh/id_rsa.pub key into a file in the remote account's home ~/.ssh directory called authorized_keys.
You should see the following output:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'username@123.456.789.0'" and check to make sure that only the key(s) you wanted were added.