MITIM Blog

SSH key creation and usage

Posted on 31 May 2025 by Janci 14 min

SSH key creation and usage

SSH Security: Keys vs. Passwords

Advantages of SSH Keys over Passwords

1. Stronger Security

  • SSH keys are cryptographically generated, offering significantly higher security than even strong passwords.
  • They are not vulnerable to brute-force attacks, as authentication does not rely on a password.

2. No Password Transmission

  • When using a password, the credential (even if encrypted) is transmitted over the network.
  • With SSH keys, authentication is done using asymmetric cryptography without transmitting a secret.

3. Manageability and Control

  • SSH keys are easier to manage:
    • You can restrict them (e.g., to a specific command),
    • Revoke individual keys without affecting others,
    • Use certificate authorities (CAs) for centralized trust.

4. Support for Additional Security Layers

  • SSH keys can be stored on hardware tokens (e.g., YubiKey),
  • They can be protected by a passphrase, adding another layer of security.

Things to Watch Out for with SSH Keys

  • The private key must be stored securely.
  • It's recommended to use a passphrase and possibly restrict agent forwarding.
  • Regularly review and revoke old or compromised keys.

Conclusion

Yes, using SSH keys (or certificates) is more secure than using usernames and passwords.
They are the current best practice for secure SSH access and should be preferred in any infrastructure.

Setting up SSH Key Authentication (macOS to Ubuntu)

This guide walks you through creating an SSH key on macOS and configuring it to connect to your Ubuntu server.

Part 1: Creating an SSH Key on macOS

  1. Open Terminal:

    • Go to /Applications/Utilities/ and double-click Terminal.app.

  2. Generate the Key Pair:

    • Use the following command to generate your SSH key:

      ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
      • ssh-keygen: The command to generate SSH keys.
      • -t rsa: Specifies the key type (RSA is the standard).
      • -b 4096: Sets the key size to 4096 bits (a good balance of security and performance). 2048 is acceptable if you have concerns about performance.
      • -C "your_email@example.com": Adds a comment to the key (optional but helpful for identification). Replace "your_email@example.com" with your actual email address.

  3. File Location:

    • You're prompted where to save the key. The default is ~/.ssh/id_rsa. Accept the default location (press Enter) unless you have a specific reason not to. If you change it, remember the path.

  4. Passphrase (Optional but HIGHLY Recommended):

    • You're prompted to enter a passphrase. Enter a strong passphrase! This adds an extra layer of security.
    • If you don't want a passphrase (not recommended), just press Enter twice.
    • Important: If you forget the passphrase, you cannot recover it. You'd have to generate a new key pair.

  5. Resulting Files:

    • This process creates two files:
      • ~/.ssh/id_rsa: Your private key. KEEP THIS SECRET! Do not share this file with anyone.
      • ~/.ssh/id_rsa.pub: Your public key. This is what you're going to copy to your server.

Part 2: Configuring SSH Key Authentication on Ubuntu

  1. Copying Your Public Key to the Ubuntu Server:

  • Method 1: Using ssh-copy-id (Easiest)

    If your server is accessible using a password, the ssh-copy-id command can automate the process:

    bash ssh-copy-id your_username@your_server_ip_address

    You will be prompted for your server password.

  • Method 2: Manual Copying (If ssh-copy-id isn't available):

    a. Display Your Public Key:

    bash cat ~/.ssh/id_rsa.pub

    Select and copy the entire output (the long string that starts with ssh-rsa or ssh-ed25519).

    b. Connect to the Ubuntu Server using Password Authentication:

    bash ssh your_username@your_server_ip_address

    c. Create or Edit authorized_keys:

    If the .ssh directory doesn't exist on the server, create it:

    bash mkdir -p ~/.ssh

    If the authorized_keys file doesn't exist, create it. Otherwise, open it for editing.

    bash nano ~/.ssh/authorized_keys

    d. Paste Your Public Key: Paste the public key you copied from your macOS terminal into the authorized_keys file. Make sure there are no extra spaces or line breaks. Save the file (Ctrl+O in nano, then Enter) and exit (Ctrl+X).

    e. Set Permissions (Crucial!): This is the most common source of problems.

    bash chmod 600 ~/.ssh/authorized_keys chmod 700 ~/.ssh

    This sets the permissions of the .ssh directory to 700 (read, write, execute only for the owner) and the authorized_keys file to 600 (read and write only for the owner).

  1. Testing the SSH Key Connection:

  • Back on your macOS terminal, try connecting to the server again:

    bash ssh your_username@your_server_ip_address

  • If you set a passphrase, you will be prompted for it. If you didn't set a passphrase, you should be logged in directly.

Troubleshooting

  • Permissions: Double-check the permissions on .ssh (700) and authorized_keys (600) on the server. Incorrect permissions are the most common cause of SSH key authentication failures. Also, make sure the home directory permissions are correct.
  • Key Location: Make sure you're using the correct private key file on your macOS machine. If you didn't use the default location, you need to specify it with the -i option: ssh -i /path/to/your/private_key your_username@your_server_ip_address
  • Line Breaks in authorized_keys: The authorized_keys file must contain the entire public key on a single line. No extra spaces or line breaks.
  • Server SSH Configuration: (Less common) The Ubuntu server's SSH configuration file (/etc/ssh/sshd_config) might be configured to disallow public key authentication. You need to edit that file (as root) and ensure that PubkeyAuthentication yes is present and not commented out. After making changes, restart the SSH daemon: sudo systemctl restart sshd.
  • Firewall: Ensure that your firewall isn't blocking SSH traffic (port 22 by default).
  • Key Format: While RSA is standard, occasionally there might be issues with other key types. Stick with RSA unless you have a specific reason not to.
  • Home Directory Permissions: The home directory of the user on the server must not be writable by group or others. This is important for security and SSH to function correctly. A common fix is chmod go-w /home/your_username.

Setting up SSH Key Authentication (Linux to Ubuntu)

This guide walks you through creating an SSH key on a Linux system and configuring it to connect to your Ubuntu server.

Part 1: Creating an SSH Key on Linux

  1. Open Terminal:

    • Use your distribution's terminal emulator (e.g., GNOME Terminal, Konsole, Xfce Terminal).

  2. Generate the Key Pair:

    • Use the following command to generate your SSH key:

      ssh-keygen -t rsa -b 4096 -C "your_email@example.com"
      • ssh-keygen: The command to generate SSH keys.
      • -t rsa: Specifies the key type (RSA is the standard).
      • -b 4096: Sets the key size to 4096 bits (a good balance of security and performance). 2048 is acceptable if you have concerns about performance.
      • -C "your_email@example.com": Adds a comment to the key (optional but helpful for identification). Replace "your_email@example.com" with your actual email address.

  3. File Location:

    • You're prompted where to save the key. The default is ~/.ssh/id_rsa. Accept the default location (press Enter) unless you have a specific reason not to. If you change it, remember the path.

  4. Passphrase (Optional but HIGHLY Recommended):

    • You're prompted to enter a passphrase. Enter a strong passphrase! This adds an extra layer of security.
    • If you don't want a passphrase (not recommended), just press Enter twice.
    • Important: If you forget the passphrase, you cannot recover it. You'd have to generate a new key pair.

  5. Resulting Files:

    • This process creates two files:
      • ~/.ssh/id_rsa: Your private key. KEEP THIS SECRET! Do not share this file with anyone.
      • ~/.ssh/id_rsa.pub: Your public key. This is what you're going to copy to your server.

Part 2: Configuring SSH Key Authentication on Ubuntu

  1. Copying Your Public Key to the Ubuntu Server:

  • Method 1: Using ssh-copy-id (Simplest if Available)

    • Many Linux distributions have the ssh-copy-id utility. If you have it, this is the easiest way to copy your public key.
    • Run the following command: bash ssh-copy-id your_username@your_server_ip_address
      • You will be prompted for the user's password on the server. After authentication, the public key will be copied to the server's ~/.ssh/authorized_keys file.

  • Method 2: Manual Copying (If ssh-copy-id is Not Available)

    1. Display the Public Key: bash cat ~/.ssh/id_rsa.pub

      • Copy the entire output of this command (starting with "ssh-rsa" and ending with your email address).

    2. SSH into the Ubuntu Server: bash ssh your_username@your_server_ip_address

      • Enter the user's password when prompted.

    3. Create the .ssh Directory (if it doesn't exist): bash mkdir -p ~/.ssh

    4. Create or Append to the authorized_keys File: bash echo "PASTE_YOUR_PUBLIC_KEY_HERE" >> ~/.ssh/authorized_keys

      • Important: Replace PASTE_YOUR_PUBLIC_KEY_HERE with the public key you copied in step 1. Make sure it's on a single line in the file.

    5. Set Correct Permissions (Very Important): bash chmod 700 ~/.ssh chmod 600 ~/.ssh/authorized_keys

    6. Exit the Server: bash exit

  1. Testing the SSH Key Authentication:
  • Run the following command: bash ssh your_username@your_server_ip_address
  • If you set a passphrase, you will be prompted for it. If you didn't set a passphrase, you should be logged in directly.

Troubleshooting

  • Permissions: Double-check the permissions on .ssh (700) and authorized_keys (600) on the server. Incorrect permissions are the most common cause of SSH key authentication failures. Also, make sure the home directory permissions are correct.
  • Key Location: Make sure you're using the correct private key file on your Linux machine. If you didn't use the default location, you need to specify it with the -i option: ssh -i /path/to/your/private_key your_username@your_server_ip_address
  • Line Breaks in authorized_keys: The authorized_keys file must contain the entire public key on a single line. No extra spaces or line breaks.
  • Server SSH Configuration: (Less common) The Ubuntu server's SSH configuration file (/etc/ssh/sshd_config) might be configured to disallow public key authentication. You need to edit that file (as root) and ensure that PubkeyAuthentication yes is present and not commented out. After making changes, restart the SSH daemon: sudo systemctl restart sshd.
  • Firewall: Ensure that your firewall isn't blocking SSH traffic (port 22 by default).
  • Key Format: While RSA is standard, occasionally there might be issues with other key types. Stick with RSA unless you have a specific reason not to.
  • Home Directory Permissions: The home directory of the user on the server must not be writable by group or others. This is important for security and SSH to function correctly. A common fix is chmod go-w /home/your_username.

Important Security Notes:

  • Keep Your Private Key Secure: Never share your private key with anyone. If it's compromised, revoke it and generate a new key pair.
  • Use a Strong Passphrase (Recommended): A passphrase adds an extra layer of protection, even if your private key is stolen.
  • Regularly Review authorized_keys: Remove any keys that are no longer needed.
  • Consider Using SSH Agent: If you use a passphrase, using an SSH agent can save you from typing it repeatedly.

Key Differences and Considerations for Linux:

  • ssh-copy-id Availability: This utility isn't universally available on all Linux distributions. - - The manual copying method is a reliable alternative.
  • Terminal Emulators: Linux often uses more powerful terminal emulators, which can sometimes affect how key bindings and environment variables work.
  • Distribution-Specifics: Some Linux distributions might have slightly different procedures for managing SSH keys. Refer to your distribution's documentation if you encounter issues.
  • Agent Forwarding: If you need to connect to other servers from the server you're SSHing into, consider enabling agent forwarding (carefully!). However, be mindful of the security implications.

Setting up SSH Key Authentication (Windows to Ubuntu)

This guide walks you through creating an SSH key on Windows and configuring it to connect to your Ubuntu server.

Part 1: Creating an SSH Key on Windows (Using OpenSSH)

  1. Open a Terminal:

    • The easiest way is to search for "Windows Terminal" in the Start Menu and open it. You can also use Command Prompt or PowerShell, but Windows Terminal provides a better environment.

  2. Generate the Key Pair:

  • Use the following command to generate your SSH key. Note that this uses PowerShell or a terminal that understands PowerShell commands:

    powershell ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

    • ssh-keygen: The command to generate SSH keys.
    • -t rsa: Specifies the key type (RSA is the standard).
    • -b 4096: Sets the key size to 4096 bits (a good balance of security and performance).
    • -C "your_email@example.com": Adds a comment to the key (optional but helpful for identification). Replace "your_email@example.com" with your actual email address.

  1. File Location:

    • You're prompted where to save the key. The default location is C:\Users\your_username\.ssh\id_rsa. Accept the default location (press Enter) unless you have a specific reason not to. If you change it, remember the path. Windows uses backslashes (\) in paths, but SSH expects forward slashes (/), so be mindful when referencing the path in later steps.

  2. Passphrase (Optional but HIGHLY Recommended):

    • You're prompted to enter a passphrase. Enter a strong passphrase! This adds an extra layer of security.
    • If you don't want a passphrase (not recommended), just press Enter twice.
    • Important: If you forget the passphrase, you cannot recover it. You'd have to generate a new key pair.

  3. Resulting Files:

    • This process creates two files in C:\Users\your_username\.ssh:
      • id_rsa: This is your private key. KEEP THIS SAFE! NEVER SHARE IT!
      • id_rsa.pub: This is your public key. You're going to copy this to the Ubuntu server.

Part 2: Copying Your Public Key to the Ubuntu Server

There are a few ways to do this. The easiest, if you already have password-based SSH access, is using ssh-copy-id.

  1. Using ssh-copy-id (Easiest Method - requires password login already):

    • Open a Windows terminal.

    • Run the following command, replacing your_username and your_server_ip_address with your actual username and the server's IP address or hostname:

      ssh-copy-id your_username@your_server_ip_address
    • You will be prompted for your Ubuntu server password. Enter it. This command copies your public key to the server's ~/.ssh/authorized_keys file.

  2. Manual Method (If ssh-copy-id is not available or doesn't work):

  • Open your public key file (id_rsa.pub) in a text editor (Notepad, VS Code, etc.). Copy the entire contents of the file.
  • SSH into your Ubuntu server using your password: ssh your_username@your_server_ip_address
  • Once logged into the server, use a text editor like nano or vim (if you're familiar) or use echo and redirection to append the public key to the ~/.ssh/authorized_keys file. For example: bash echo "PASTE_YOUR_PUBLIC_KEY_HERE" >> ~/.ssh/authorized_keys (Replace PASTE_YOUR_PUBLIC_KEY_HERE with the entire contents of your id_rsa.pub file).
  • Ensure that the ~/.ssh directory and ~/.ssh/authorized_keys file have the correct permissions: bash chmod 700 ~/.ssh chmod 600 ~/.ssh/authorized_keys

Part 3: Connecting to the Ubuntu Server Using Your SSH Key

  1. Simply SSH:

    • Open a Windows terminal.

    • Run the following command, replacing your_username and your_server_ip_address with your actual information:

      ssh your_username@your_server_ip_address
  • If you set a passphrase, you're prompted for it. If not, you should be logged in directly.

Troubleshooting

  • Permissions: Ensure that the .ssh directory and authorized_keys file have the correct permissions (700 and 600, respectively) on the server. Also, verify your home directory permissions (shouldn't be group or world writable).
  • Public Key Contents: Double-check that you copied the entire contents of the id_rsa.pub file into the authorized_keys file on the server. No extra spaces or line breaks.
  • Private Key Location: If you didn’t use the default location for your private key, you need to tell SSH where to find it using the -i option: ssh -i C:\Users\your_username\.ssh\your_private_key your_username@your_server_ip_address (Remember to replace your_private_key with the actual name of your private key file). Also, ensure the path uses forward slashes in the command line, even if backslashes were used in the file system.
  • Server SSH Configuration: (Less common) The Ubuntu server's SSH configuration file (/etc/ssh/sshd_config) might be configured to disallow public key authentication. You need to edit that file (as root) and ensure that PubkeyAuthentication yes is present and not commented out. After making changes, restart the SSH daemon: sudo systemctl restart sshd.
  • Firewall: Ensure that your firewall isn't blocking SSH traffic (port 22 by default).
  • Agent Forwarding (Optional): If you need to SSH from the Ubuntu server to another server using your Windows key, consider setting up SSH agent forwarding. This is more advanced and involves the -A flag in your SSH command: ssh -A your_username@your_server_ip_address
  • Windows Terminal Issue: Sometimes, the Windows Terminal may not handle the SSH agent correctly. Restarting the terminal can sometimes resolve this issue.

Important Security Note: Never share your private key (id_rsa). Keep it secure and protect it with a strong passphrase.

Artificial Intelligence

Related posts
← Next post
Previous Post →