Quick Introduction About SSH (Secure Shell)
SSH (Secure Shell) is a network protocol that creates encrypted connections between computers. It replaces insecure protocols like Telnet and FTP, which transmit data, including passwords, in plain text.
The encryption used in SSH connections is based on public-key cryptography. This involves a pair of keys – one public and one private. Data encrypted with the public key can only be decrypted by the private key. This enables secure communication without the need to transmit the private key, which is kept secret.
Understanding how to generate, manage, and use SSH keys is an important skill for working with remote servers, cloud computing, and automation. This guide will provide a comprehensive overview of SSH keys to help you use them effectively.
Key Takeaways
- SSH keys use public-key cryptography to secure remote connections between a client and a server.
- They provide a more secure alternative to password-based authentication, which can be vulnerable to brute-force attacks.
- SSH keys come in pairs: a private key that is kept secret and a public key that is shared.
- To use SSH keys, the public key is copied to the remote server and added to .ssh/authorized_keys.
- SSH keys can be generated using the ssh-keygen command on Linux, Mac, and Windows.
- SSH keys do not need to be generated for each server – the same key pair can authenticate against multiple servers.
- SSH keys can be protected with passphrases for added security against brute force attempts.
How Do SSH Keys Work?
SSH keys utilize Asymmetric Encryption to secure connections between two computers across an insecure network like the Internet.
They work by creating a keyed pair of long random strings used for encryption. One key is private (secret), and one is public (shared). Anything encrypted by the public key can only be decrypted by the private key.
Here is an overview of how SSH keys are used to support authentication:
- The user generates an SSH key pair on their local computer – the client.
- The public key is then copied and installed on the remote server that the user wants to access.
- When the user tries to connect to the remote server, the private key on their client encrypts a challenge message and sends it to the server.
- The server decrypts this message using the public key it has for that user. If decryption succeeds, it proves the client holds the corresponding private key.
- An encrypted tunnel is then established between the two computers, enabling secure communication.
So, the private key remains safe for the client while the public key enables authentication on the remote server. The private key is never transmitted or exposed to potential attackers.
Public key cryptography solves the problem of trusting keys in an untrusted environment like the Internet. It allows computers to communicate securely without needing to secretly transmit private keys.
Why Use SSH Keys Instead of Passwords?
Using SSH keys for authentication provides important security benefits compared to traditional password-based logins:
- Passwords can be guessed or brute-forced: Attackers can break weak passwords through repeated guessing. SSH keys use much longer cryptographic keys that are virtually impossible to imagine.
- Passwords are transmitted over the network: Usernames and passwords must be submitted each time you connect to a server. SSH keys only transmit public keys, which do not compromise security.
- Keys identify the client’s computer. Unlike shared passwords, Keys are tied to a specific client computer, providing better traceability.
- Keys support advanced user access controls: SSH keys can be restricted to only allow selected commands, enhancing security configurations.
- Keys cannot be reused across servers: Compromised passwords affect all servers they are used on, while keys are unique per server.
Using SSH keys eliminates these weaknesses, making remote server access much more secure. They prevent unauthorized users from logging in even if they know or can guess account passwords.
For these reasons, SSH keys are recommended over passwords for remote server authentication in any security-conscious environment.
How to Generate SSH Keys
SSH keys are generated in asymmetric pairs – one public and one private key. They can be generated on Linux, Mac, or Windows systems using the ssh-keygen command.
Here are the basic steps to generate SSH keys on each operating system:
On Linux/Mac:
- Open a terminal window.
- Enter the command ssh-keygen -t rsa -b 4096. This will generate a 4096-bit RSA key pair.
- You will be prompted to provide a file location to save the key. Press enter to accept the default location of /home/username/.ssh/id_rsa.
- Optionally, you can add a passphrase for extra security to prevent unauthorized use of the keys.
- Once complete, your public and private keys will be saved in the .ssh folder in your user directory.
On Windows:
- Open PowerShell.
- Enter the command ssh-keygen—t rsa—b 4096. This will generate a 4096-bit RSA key pair.
- You will be prompted to enter a file location to save the key, such as C:\\Users\\username\\.ssh\\id_rsa.
- Add an optional passphrase for added security.
- The keys will be saved in the path entered. If the .ssh folder does not exist, it will be created.
The -t rsa flag specifies that we want to generate RSA SSH keys, the most common key type. -b 4096 sets the key length to 4096 bits for added security.
This will generate a public key ending in .pub and a matching private key (without the .pub). The private key must be kept secure and not shared.
How to Copy the Public Key to a Remote Server
Your public key needs to be copied to and authorized on a remote server to enable SSH key authentication.
The public key must be added to a specific file on the remote server: ~/.ssh/authorized_keys. This lists all public keys allowed to authenticate against that server account.
Here are the basic steps to copy your public key to a remote server:
- Copy the contents of your id_rsa.pub public key file on your local computer.
- Log into the remote server account using password authentication.
- Create the .ssh directory in your home folder if it does not already exist:
mkdir ~/.ssh
- Create or open the authorized_keys file under .ssh and paste your public key.
vi ~/.ssh/authorized_keys
- Save the authorized_keys file and exit the editor.
- Set permissions on authorized_keys with:
chmod 600 ~/.ssh/authorized_keys
You can now log into the remote server using SSH key authentication instead of a password. The private key on your local computer will be used to authenticate against the authorized public key on the server.
This process can be repeated to enable SSH key access across multiple servers using the same key pair.
Using SSH Agent to Manage Private Keys
The ssh-agent program helps manage your SSH keys by keeping the private key loaded in memory while your session is active. This avoids re-entering your SSH key passphrase multiple times.
Here is how to use ssh-agent:
- Start the ssh-agent in the background:
eval `ssh-agent -s`
- Add your private key to ssh-agent:
ssh-add ~/.ssh/id_rsa
- Enter your passphrase when prompted to load the key into memory.
- The agent will now transparently use the key for any SSH connections.
- Kill the agent when you are done:
ssh-agent -k
This saves you from continually re-entering your SSH key passphrase while allowing secure key-based authentication. The key is removed from memory when the agent exits.
SSH Config File for Simplified Access
The SSH client configuration file (~/.ssh/config) can be used to simplify SSH connections by setting up aliases and connection preferences.
For example, you can create aliases for hosts:
Host server1 HostName 203.0.113.10 User admin Host server2 HostName 198.51.100.20 User webadmin
This allows you to use ssh server1 instead of remembering IP addresses and usernames.
You can also set default configuration preferences for all hosts:
Host *
AddKeysToAgent yes
UseKeychain yes
IdentityFile ~/.ssh/id_rsa
This automatically loads your key into the agent and sets your default identity key.
Other useful settings include:
- Port to set a non-standard port for SSH servers
- ProxyCommand to route connections through a proxy
- Compression to enable compression on slow connections
- ServerAliveInterval to prevent idle timeouts on long-running sessions
The config file keeps your preferences and customizations in one place for convenience across all your SSH connections.
SSH Keys Best Practices
Here are some best practices for using SSH keys securely:
- Strong passphrases: Use a long, complex passphrase to encrypt your keys. This prevents brute force attempts.
- Limit key access: Private keys should have file permissions of 600 and be accessible only by the key owner.
- Use key pairs per device: Unique key pairs for each computer and device provide better isolation and traceability.
- Regularly update keys: Regenerate keys periodically or if you suspect a breach to prevent unauthorized access.
- Revoke compromised keys: Remove lost or compromised keys from servers immediately and generate replacements.
- Use SSH config: Leverage the SSH config file to simplify and streamline key usage across connections.
- Combine with other controls: Use keys as part of a defense-in-depth strategy, including firewalls, 2FA, and access controls.
Final Words
SSH keys provide a robust security mechanism for authenticating between computers over insecure networks. Understanding how to manage and utilize SSH keys properly is an invaluable skill for anyone working with servers, cloud infrastructure, or automation.
The public/private asymmetric encryption used in SSH keys eliminates many of the weaknesses found in password-based authentication. Generating key pairs is straightforward with the ssh-keygen tool, and distributing public keys to servers is a simple process.
Following best practices for using SSH keys, such as strong passphrases, revoking compromised keys, and leveraging ssh-agent will help you fully realize their security benefits. Along with other controls, SSH keys should form a core part of your remote access and authentication strategy.
Frequently Asked Questions (FAQs)
Here are answers to some frequently asked questions about how to use SSH keys:
How do I generate an SSH key pair?
Use the ssh-keygen command to generate a public and private SSH key pair. Run it without any arguments to accept default values or pass the -t and -b flags to set the algorithm (RSA) and key length.
Where are SSH keys stored on Linux and Windows?
On Linux, keys are stored in /home/username/.ssh. On Windows, %HOMEPATH%\\.ssh\\ (usually C:\\Users\\username\\.ssh). The private keys end in .pub.
How do I copy my public key to a Linux server?
Append your public key contents to the ~/.ssh/authorized_keys file on the remote server. Then, set permissions to 600. The key will now allow you to authenticate.
Can I use one SSH key pair for multiple servers?
Yes, you can use a single SSH key pair to authenticate against multiple remote servers by copying the public key to each one in authorized_keys.
How do I generate a key for a specific algorithm like RSA or ED25519?
Pass the -t flag to ssh-keygen with RSA, DSA, ECDSA, ED25519, or other supported algorithms. The default is RSA.
Should I add a passphrase to my SSH private key?
Adding a passphrase adds an extra layer of security. An attacker would need both the key file and passphrase to gain access, but it can also reduce convenience. Enable passphrases based on your security requirements.
What’s the benefit of ssh-agent for managing SSH keys?
ssh-agent keeps your decrypted private keys loaded in memory, so you don’t have to reenter passphrases while your session is active. Kill it when done.
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.