Set Up SSH Keys on Ubuntu 20.04
Secure Shell (SSH) is a network protocol that creates a secure connection between a client and a server. Using SSH, you can safely log in to a server with private and public key-based authentication.
We cover how to set up SSH keys on Ubuntu 20.04.
Steps to Creating SSH Keys on Ubuntu 20.04
1. Create the Key Pair
To create a new SSH key on Linux, run the following command on the client machine: ssh-keygen. This will generate a key pair that consists of a public and a private key. Use the following command -
ssh-keygen
To create an SSH key on Linux, use ssh-keygen. This will generate an RSA key pair that is 3072-bit long by default.
You can also pass in the -b 4096
flag to create a larger 4096-bit
key.
You can see the following output after adding the command:
Output
Generating public/private rsa key pair.
Enter file in which to save the key (/your_home/.ssh/id_rsa):
To save the key pair into the .ssh/
subdirectory in your home directory, press enter. You can also specify an alternate path.
SSH public key authentication is a secure way to log in to a remote server using an existing key pair. If you have generated an SSH key pair before, you may see the following prompt:
Output
/home/your_home/.ssh/id_rsa already exists.
Overwrite (y/n)?
You will not be able to authenticate using the previous key if you overwrite the key on the disk. Be cautious about selecting yes, as the changes cannot be reversed.
The following prompt will be displayed:
Output
Enter passphrase (empty for no passphrase):
You can enter an optional secure passphrase, which is recommended. It prevents unauthorized users from logging in and adds another layer of security.
The output is shown below -
Your identification has been saved in /your_home/.ssh/id_rsa
Your public key has been saved in /your_home/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:/hk7MJ5n5aiqdfTVUZr+2Qt+qCiS7BIm5Iv0dxrc3ks user@host
The key's randomart image is:
+---[RSA 3072]----+
| .|
| + |
| + |
| . o . |
|o S . o |
| + o. .oo. .. .o|
|o = oooooEo+ ...o|
|.. o *o+=.*+o....|
| =+=ooB=o.... |
+----[SHA256]-----+
Public key authentication is a secure method of logging in to a remote server using an SSH key pair. You can use the public key on the server to authenticate with the private key on the client machine. Add the private key on your server for SSH-key-based authentication to log in, as shown in the next steps.
2. Copy the Public Key to the Ubuntu Server
We will copy the public key to the Ubuntu host using a utility called ssh-copy-id
.
If you do not have ssh-copy-id
on the client machine, use the alternate methods shown below-
- Copy via password-based SSH
- Manually copy the key
ssh-copy-id
Copying the Public Key Using The ssh-copy-id
tool is added in many operating systems by default. You should already have password-based SSH access to your server.
To use the utility, specify the remote host you want to connect to. Also, specify the user account that you have password-based SSH access to. It is the account on which your public SSH key will be copied.
The syntax is shown below -
ssh-copy-id username@remote_host
You will see the following output:
Output
The authenticity of host '203.0.113.1 (203.0.113.1)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes
It shows that your local computer does not recognize the remote host. As it is the first time you connect to a new host. Type in yes
and then press ENTER
to continue.
The utility will scan the local account for the id_rsa.pub
key created earlier. When it finds the key, you will get a prompt for the password of the remote user’s account:
Output
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
username@203.0.113.1's password:
Type in the password and press ENTER
. The utility will connect to the account on the remote host using the password. It will then copy the contents of the ~/.ssh/id_rsa.pub
key into a file. It will be located in the remote account’s home ~/.ssh
directory called authorized_keys.
The following message will be displayed:
Output
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'username@203.0.113.1'"
and check to ensure that only the key(s) you wanted were added.
Now the id_rsa.pub
key has been uploaded to the remote account. You can move on to the next steps.
Copy the Public Key Using SSH
If you have password-based SSH access to an account on your server, upload your keys with the SSH method.
Use the cat
command to read the contents of the public SSH key on our local computer. You can then pipe it through an SSH connection to the remote server.
Ensure that the ~/.ssh
directory exists on the other side and has the correct account permissions.
Output the content into a file called authorized_keys
within this directory. You can use the >> redirect symbol to append the content instead of overwriting it. It allows you to add keys without removing the previously added keys.
The full command is shown below:
cat ~/.ssh/id_rsa.pub | ssh username@remote_host "mkdir -p ~/.ssh && touch ~/.ssh/authorized_keys && chmod -R go= ~/.ssh && cat >> ~/.ssh/authorized_keys"
You may see the following output:
Output
The authenticity of host '203.0.113.1 (203.0.113.1)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes
The local computer does not recognize the remote host. It will happen the first time you connect to a new host. Type yes
and press ENTER
to continue.
You will be prompted to enter the remote user account password:
Output
username@203.0.113.1's password:
After adding your password, the content of the id_rsa.pub
key will be copied to the end of the authorized_keys
file. You can move to the next step if you have done it correctly.
Manually Copy the Public Key
If you do not have password-based SSH access to your server, you can complete the process manually.
Append the content of your id_rsa.pub
file to the ~/.ssh/authorized_keys
file on your remote machine.
To display the content of the id_rsa.pub
key, enter the following into your local computer -
cat ~/.ssh/id_rsa.pub
The key’s content will be displayed like this -
Output
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqql6MzstZYh1TmWWv11q5O3pISj2ZFl9HgH1JLknLLx44+tXfJ7mIrKNxOOwxIxvcBF8PXSYvobFYEZjGIVCEAjrUzLiIxbyCoxVyle7Q+bqgZ8SeeM8wzytsY+dVGcBxF6N4JS+zVk5eMcV385gG3Y6ON3EG112n6d+SMXY0OEBIcO6x+PnUSGHrSgpBgX7Ks1r7xqFa7heJLLt2wWwkARptX7udSq05paBhcpB0pHtA1Rfz3K2B+ZVIpSDfki9UVKzT8JUmwW6NNzSgxUfQHGwnW7kj4jp4AT0VZk3ADw497M2G/12N0PPB5CnhHf7ovgy6nL1ikrygTKRFmNZISvAcywB9GVqNAVE+ZHDSCuURNsAInVzgYo9xgJDW8wUw2o8U77+xiFxgI5QSZX3Iq7YLMgeksaO4rBJEa54k8m5wEiEE1nUhLuJ0X/vh2xPff6SQ1BL/zkOhvJCACK6Vb15mDOeCSq54Cr7kvS46itMosi/uS66+PujOO+xt/2FWYepz6ZlN70bRly57Q06J+ZJoc9FfBCbCyYH7U/ASsmY095ywPsBo1XQ9PqhnN1/YOorJ068foQDNVpm146mUpILVxmq41Cj55YKHEazXGsdBIbXWhcrRf4G2fJLRcGUr9q8/lERo9oxRm5JFX6TCmj6kmiFqv+Ow9gI0x8GvaQ== demo@test
Ensure that the ~/.ssh
directory exists once you have access to your account on the remote server.
The following command will create the directory if required. Or it may do nothing if it already exists:
mkdir -p ~/.ssh
Create or modify the authorized_keys
file within this directory. Enter the contents of the id_rsa.pub
file at the end of the authorized_keys
file. Use the following command:
echo public_key_string >> ~/.ssh/authorized_keys
In the command shown above, add the public_key_string
with the output from the cat ~/.ssh/id_rsa.pub
command executed on your local system. It starts with ssh-rsa AAAA....
Ensure that the ~/.ssh
directory and authorized_keys
file have the right permissions:
chmod -R go= ~/.ssh
The command removes all “group” and “other” permissions for the ~/.ssh/
directory.
Using the root account to set up keys, it’s also important that the ~/.ssh
directory belongs to the user and not to root:
chown -R sammy:sammy ~/.ssh
Add the appropriate username in the above command. You can now execute passwordless authentication with the Ubuntu server.
3. Authenticating to the Ubuntu Server Using SSH Keys
To enable SSH on Ubuntu, use the following command: sudo systemctl enable ssh. This will ensure that the SSH daemon is started automatically when the system boots up.
Enter the following command -
ssh username@remote_host
You may see the following output -
Output
The authenticity of host '203.0.113.1 (203.0.113.1)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes
It shows the local computer does not recognize the remote host. Type in yes
and then press ENTER
to continue.
If you did not add a passphrase for the private key, you are logged in immediately. Otherwise, you will be prompted to enter the passphrase that you had previously created. After authenticating, a new shell session will open with the configured account on the Ubuntu server.
After the key-based authentication, you can secure the system by disabling the password authentication.
4. Disable Password Authentication
The password-based authentication is still active, and the server may be at risk of brute force attacks. Ensure that you have SSH-key-based authentication configured for a non-root account on the server with sudo privileges.
The step will lock down the password-based logins, so it is essential to have administrative access.
If you have administrative privileges, log in to the remote server with SSH keys. You can do it as root or with an account with sudo privileges.
Open the SSH daemon’s configuration file -
sudo nano /etc/ssh/sshd_config
Look for a directive called PasswordAuthentication
. It is commented with a #
at the beginning of the line. Now uncomment the line by removing the #
, and set the value to no. It will disable the ability to log in via SSH using account passwords:
/etc/ssh/sshd_config
. . .
PasswordAuthentication no
. . .
Save and close the file by pressing CTRL+X
. Press Y
to confirm saving the file, and then press ENTER
to exit nano. Restart the sshd service to activate the changes:
sudo systemctl restart ssh
Open a new terminal window and test that the SSH service is working well before closing the current session:
ssh username@remote_host
After confirming that the SSH service is working, you can close all current server sessions. The SSH daemon on the Ubuntu server now responds to SSH-key-based authentication, and the password-based logins have been disabled successfully.
Understanding SSH Keys: Setting Up, Adding, and Using Public and Private Keys
What is Secure Shell (SSH)?
Secure Shell (SSH) is a widely used network protocol for establishing secure shell access between computers.
Why is setting up an SSH key important?
Setting up an SSH key is crucial for establishing a secure connection between a client and a server.
How can I set up an SSH server on Ubuntu?
To set up an SSH server on Ubuntu, users must install the SSH server software by running the command "sudo apt install openssh-server." After installation, authorized SSH keys can be added by copying the public key file to the user's home directory ".ssh/authorized_keys" file.
How do I add an SSH key to Bitbucket on Ubuntu?
To add an SSH key to Bitbucket on Ubuntu, users must generate a public and private key pair and add the public key file to their account settings.
How can I enable SSH key login?
To enable SSH key login, users need to ensure that the "PubkeyAuthentication" option is set to "yes" in the SSH server's configuration file. This file can typically be found at "/etc/ssh/sshd_config."
How can I use SSH keys?
To use SSH keys, users must install an SSH client on their local machine with the command "sudo apt install openssh-client." Once installed, the SSH agent can be used to manage SSH keys and provide secure shell access to remote servers.
What are the default public and private key file names?
By default, the public key file is named "id_rsa.pub," and the private key file is named "id_rsa." These files are typically stored in the user's home directory ".ssh" folder.
Summary
An SSH key is a secure and efficient way to authenticate and connect to a remote server, such as during an ubuntu server ssh setup. It ensures that commands typed in the terminal are sent securely via an encrypted channel. With SSH, you can run commands on remote machines, create tunnels, forward ports, etc. It supports authentication mechanisms such as password and public-key-based.
We looked at how to add SSH keys on Ubuntu 20.04, which involves steps like allowing SSH access (ubuntu allow ssh) and configuring the settings (ubuntu config ssh). To get your SSH key in Linux, you can use the command get my ssh key linux
. If you encounter any issues related to host bits being set in Ubuntu (has host bits set ubuntu), it's essential to address them for a successful connection.
To generate an SSH key pair (how to gen ssh key), you can use tools like ssh-keygen
. This process will also show you how to make a public key for authentication purposes. Once you've created your keys, setting up ssh key authentication becomes straightforward.
If you'd like to learn more about working with SSH and other related topics such as ubuntu server management or security configurations, check out CloudPanel tutorials. These resources provide valuable information on various aspects of managing servers and ensuring optimal performance while maintaining security best practices.