How to use SSH keys for authentication

  • Author

    Janne Ruostemaa

    Editor-in-Chief

  • About

    Type
    Tutorial
    Category
    Security

Posted on 17 September 2015

Set up your first SSH keys

Use SSH keys for authentication when connecting to or even between your servers. They can greatly simplify and increase the security of your login process. When keys are implemented correctly, they provide a secure, fast, and easy way of accessing your cloud server.

Follow our guide and learn how to set up your first SSH keys for authentication using OpenSSH or PuTTY SSH client.

Preparing your server

To add an SSH key pair, use the following command to create a hidden folder in your user account’s home directory on your Cloud Server.

mkdir -p ~/.ssh

Then, restrict the permissions to that directory to just yourself using the command below.

chmod 700 ~/.ssh

This creates a secure location where you can save your SSH keys for authentication. However, since the keys are stored in your user home directory, every user who wishes to connect using SSH keys for authentication must repeat these steps on their own profile.

Try UpCloud for free!

Using OpenSSH to generate a key pair

If you are using Linux or any other OS with OpenSSH, continue on your computer. PuTTY users should skip to the next section.

1. Generate a new key pair in a terminal with the next command

ssh-keygen -t rsa

The key generator will ask for the location and file name to which the key is saved. Enter a new name or use the default by pressing enter.

2. (Optional) Create a passphrase for the key when prompted

This simple password will protect your private key should someone be able to get their hands on it. Enter the password you wish, or continue without a password. Press enter twice. Note that some automation tools might not be able to unlock passphrase-protected private keys.

3. Copy the public half of the key pair to your cloud server using the following command

Replace the user and server with your username and the server address on which you wish to use the key authentication.

ssh-copy-id -i ~/.ssh/id_rsa.pub user@server

This also assumes you saved the key pair using the default file name and location. If not, replace the key path ~/.ssh/id_rsa.pub above with your own key name.

Enter your user account password for that SSH server when prompted.

You can now authenticate to your server with the key pair, but you must enter the passphrase every time you connect.

4. (Optional) Set up SSH Agent to store the keys to avoid having to re-enter the passphrase at every login

Enter the following commands to start the agent and add the private SSH key.

ssh-agent $BASH
ssh-add ~/.ssh/id_rsa

When asked, type in your key’s current passphrase. If you saved the private key somewhere other than the default location and name, you must specify it when adding it.

Afterwards, you can connect to your cloud server using the keys for authentication and only have to unlock the key by repeating the last 2 steps once after every computer restart.

Using PuTTY to generate a key pair

If you are running Windows using the PuTTY SSH client, you can use PuTTY’s built-in key generator to create a new key pair.

1. Click the Keygen button at the bottom of the PuTTY Configuration window to get started.

PuTTYtray key generator

Then, in the Key Generator window, check that the Type of key to generate at the bottom is set to SSH-2 RSA. The older SSH-1 was the standard’s first version but is now considered obsolete. Most modern servers and clients support SSH-2.

2. Click the Generate button to begin.

PuTTYtray generate SSH key

3. Keep moving your mouse over the blank area in any manner to help generate randomness for a few moments until the progress is complete.

PuTTYtray generating new SSH key

When the keys are finished, PuTTY will show relative information about the pair and the public key for easier copying.

4. (Optional) Enter a key passphrase in the 2 empty fields for the added security before continuing. The passphrase will protect your key from unauthorized use should someone be able to copy it. However, some automation tools might not be able to unlock passphrase-protected private keys.

5. Click the Save private key button and store it somewhere safe. Generally, anywhere in your user directory is fine if your PC is password-protected. Before closing the keygen, you may want to copy the public key to your clipboard, but you can always get it later as well.

PuTTYtray save private SSH key

Now that you have a new key saved on your computer, you must import it into the PuTTY key agent.

6. Click the Agent button to open the key manager in the PuTTY Configuration window.

PuTTYtray SSH key agent

7. Click the Add Key button in the Key List, then browse to the location where you saved the private key, select it and click Open.

Enter your key passphrase if asked.

PuTTYtray adding SSH keys

This will import the key to your PuTTY client, but you must still copy the public key to your server.

8. Open an SSH connection to your cloud server and go to the SSH key directory.

cd ~/.ssh/

9. Open or create the default file OpenSSH looks for public keys called authorized_keys.

sudo nano authorized_keys

10. Paste the public key into the file by right-clicking the SSH client window. Make sure the key goes on a single line so that OpenSSH can read it. Note that the key type needs to also be included, ssh-rsa, as shown in the example below.

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDEeV/UKOVqNUwmED8PO1E6wY3ITEbWx30rAgGudzTGnYI8fB176nlmIS+O01vaI4fMYwO9Chg3mzVT2+4AkTBm1sXnDdzhNNnkclipMXdmAHnRtzU9kREFZU0/yyOhorzqxWBi0LQxpjTAZawi+8ysH7PGnNlX3FUObZcmHis0oD/C7ll6DwX4WVSjh2JGcaIhbhB+sovxW5duTDqyuyKpRsbyBD0+wNjSuJFjh5MnXJqcqrEUaPRoe2wQ9k7q0K2KOXAmYYPUWrLY6N+jjYdnkyP9XWWkz6c7Qvx7m/dBfgpyJbPryWbSZ8PsvSgtDTIND/jNfwmgQjOCGgsZlmCsvRIixzh2uNmFCg75wyD6f/wdZ5gq1HPFdyLblHs46P9ClfMbWJt9APx7c1SRE+qMbdLf/5/vNGiGHr6bBXKRX70+XODl04shFQpjm1kKkG9qHkp3bOSot4Da987dRHMhAbd0d3QdS8wCg7s6NPk4qDVnR6BCxiM2vbOD1B4gWQ8= user@server

When you’ve copied the public key over to the authorized keys list, save the file and exit the editor. You can now test the public key authentication by logging in to your server again. You should not get asked for your password; instead, log in with the key. If it’s not working, check that your private key is unlocked at your SSH Agent and try again.

Turn off password authentication

With SSH key authentication configured and tested, you can disable password authentication for SSH altogether to prevent brute-forcing. When logged in to your cloud server.

1. Open the SSH configuration file with the following command.

sudo nano /etc/ssh/sshd_config

2. Set the password authentication to no to disable clear text passwords.

PasswordAuthentication no

3. Check that public key authentication is enabled to be safe and not get locked out from your server. If you cannot log in with SSH, you can always use the web terminal in your UpCloud Control Panel.

PubkeyAuthentication yes

Then save and exit the editor.

4. Restart the SSH service to apply the changes using the below command.

sudo systemctl restart sshd

With that done, your cloud server is now another step towards security. Malicious attempts to connect to your server will result in authentication rejection, as plain passwords are not allowed, and brute-forcing an RSA key is practically impossible.

Conclusions

Remember to always keep your private keys safe. You can use the same key from multiple computers if you wish or generate new ones on each client connecting to your cloud server for added security. Users should generate their key pair and passphrase for secure access control. With proper management, even if one of the private keys gets compromised, you won’t have to replace them all.

Discussion

Leave a Reply

Your email address will not be published. Required fields are marked *

Try out today!

Start your free 14-day trial today and discover why thousands of businesses trust UpCloud

  • Risk-free trial
  • Optimized performance
  • Scalable infrastructure
  • Top-tier security
  • Global availability

Sign up

Back to top