SSH is a safe strategy to log into distant methods, however you’ll be able to enhance its safety through the use of it to authenticate speaking hosts by the alternate of public keys — that’s, producing a key pair utilizing the ssh-keygen command.
This tutorial demonstrates how you can use the ssh-keygen command to create a brand new public key and its associated personal key. When you generate the keys, you are able to do the next:
- Add the general public key to a distant server to allow automated and authenticated passwordless logins.
- Use the identical public key on a number of distant servers.
- Use quite a few public keys for various features on the identical server.
GUI variations of SSH normally embrace the identical performance because the command-line variations. For instance, PuTTYgen is a GUI model of ssh-keygen to be used with PuTTY, a GUI implementation of SSH for Home windows. Trendy OSes, corresponding to Linux, macOS and Home windows Server, in addition to Home windows 11, embrace command-line variations of OpenSSH. Do not forget that SSH is cross-platform, enabling you to entry Linux, macOS and Home windows gadgets from every of the opposite OSes. For instance, you would possibly depend on a Home windows 11 workstation for every day use and connect with a number of Linux servers utilizing SSH.
This tutorial makes use of OpenSSH examples from the Home windows PowerShell and Linux Bash (Bourne Once more Shell) command-line interfaces (CLIs). The examples additionally apply to the macOS model of OpenSSH. The benefit of utilizing SSH on the CLI is that instructions are constant throughout OSes, in contrast to with GUI variations that may implement instructions utilizing numerous GUI strategies.
Why generate SSH keys?
You need to use SSH with out key pairs by authenticating with a password, which is fairly safe. Nonetheless, authenticating utilizing a public-private key pair is a safer method.
The method is simple. First, create a public-private key pair for the native pc. Subsequent, copy the general public key file to the distant SSH server. The personal key all the time stays in your native workstation. Solely a consumer with authenticated permission can copy the general public key file to the distant server. If native customers would not have ample permission, they will request a sysadmin of the distant host to repeat the information for them.
Every key within the pair has numerous attributes, together with the next:
- Public key. Mathematically associated to the personal key, it may be despatched throughout the community or distributed to distant customers and workstations.
- Non-public key. Mathematically associated to the general public key, it’s by no means shared with distant customers and workstations.
In the course of the key-based authentication course of, SSH verifies the connection between the 2 keys to make sure they’re associated, thereby offering a safer technique of proving your identification than a password. The method can also be clear and computerized.
Copying your public key file to a distant SSH server allows you to log in to the system securely. By logging into the native system, you show that you simply management the personal key of the general public key pair.
This tutorial addresses three use circumstances:
- Configuring an SSH server to acknowledge the SSH consumer by copying the general public key file out of your native pc to the distant SSH server.
- Copying your public key file to distant servers, enabling you to remotely entry a number of methods through SSH utilizing the identical login ID. This method is especially helpful for admins performing distant system upkeep. It is usually essential to unattended automation processes, corresponding to configuration administration or scripting.
- Copying a number of public keys related to completely different consumer accounts, every with various ranges of permission to a distant server. On this case, you utilize one public key to authenticate when logging in to terminal emulation periods with the distant server and one other public key with greater permissions for doing system administration.
The procedures on this tutorial are finest utilized to particular person purchasers and servers to show how you can generate and use SSH keys. Most admins favor centralized key administration methods in bigger organizations the place many customers must authenticate to completely different servers. These key administration methods can automate the processes defined right here, nonetheless.
How SSH works
SSH makes use of public key authentication to barter a safe connection between an SSH consumer and an SSH server. You need to use SSH to make an advert hoc connection between the consumer and the distant server. You then use a password to authenticate, for instance, with a command corresponding to:
PS C:Usersalice.ssh> ssh 192.0.2.44 -l alice
On this PowerShell instance, the ssh command contains the IP handle of the distant server and the -l choice, which specifies a sound consumer account on the distant server. The distant system prompts you to enter your password. Within the above instance, the system prompts for the password for consumer alice.
Subsequent, SSH shows the next message:
The authenticity of host ‘192.0.2.44’ cannot be established.
This immediate is adopted by the server’s fingerprint and one other immediate to proceed the connection. The fingerprint is a safe hash of the server’s public key, which resides in a file within the SSH listing. On Linux methods, the default location for SSH keys is in your house listing within the file ~/.ssh/known_hosts. On Home windows methods, the default file location is your consumer listing within the file C:Usersusername.sshknown_hosts.
The next instance illustrates an SSH connection initiated between the SSH consumer and the SSH server on the identical host utilizing the loopback handle, 127.0.0.1. This handle is usually used for testing functions and directs all community visitors to consumer and server software program working on the native pc. The default consumer connection on this instance makes use of an Elliptic Curve Digital Signature Algorithm (ECDSA) key.
The most effective safety follow for SSH is to repeat that fingerprint and authenticate it towards the general public key of the distant server. In follow, you’ll be able to usually skip this step when you belief the distant server. When you settle for the authenticity of the distant server, your system provides that server and its fingerprint to the known_hosts file. SSH makes subsequent connections instantly.
This advert hoc method might be adequately safe when connecting to a server inside a protected community, however it may be riskier when connecting to exterior distant servers. SSH key-based authentication can streamline and strengthen this login course of.
The handbook, password-based method additionally prevents automation from working accurately. Instruments corresponding to Ansible generate SSH connections from the management node to the managed nodes, necessitating authentication that doesn’t require human intervention. Key-based authentication is ideal for these eventualities.
Easy methods to generate a brand new SSH key
The ssh-keygen command generates a public-private key pair to be used when authenticating to a distant server. Most SSH implementations embrace it. You’ll sometimes generate new private and non-private keys after which copy the general public key to the distant server utilizing SSH and your password-based login credentials.
By default, ssh-keygen creates an RSA key pair. It shops the general public key in a file named .ssh/id_rsa.pub and a non-public key file named .ssh/id_rsa.
Key era begins with the next command:
$ ssh-keygen -t rsa
On this instance, ssh-keygen generates a brand new SSH key pair utilizing the RSA public key algorithm.
This screenshot exhibits what occurs when the ssh-keygen command runs with the -t choice to specify an RSA key. The ssh-keygen command does the next:
- Generates a public key pair.
- In response to the immediate “Enter passphrase,” you’ll be able to enter a key passphrase to guard entry to your personal key. Utilizing a passphrase enhances safety and is really useful for delicate functions. If a key isn’t passphrase-protected, an attacker who good points entry to your system would additionally achieve direct entry to probably delicate distant methods. In some circumstances, it could possibly be acceptable to press Enter with out getting into a passphrase.
- The personal key, also referred to as identification, is saved in a file named id_rsa within the .ssh listing of your private home listing. This listing is the HOME$/ in Home windows and ~/ in Linux and different Unix-based OSes.
- The general public key exists in the identical listing in a file with the identical identify because the personal key however with the extension .pub.
- SSH creates and shows the important thing fingerprint. The fingerprint is a brief sequence of bytes generated by making use of a cryptographic hash operate to the generated key. SSH implementations can use fingerprints to authenticate the general public key. The fingerprint contains any feedback utilized to the important thing pair. The fingerprint additionally identifies the hashing algorithm used to create the general public key. On this case, the algorithm is Safe Hash Algorithm 256, or SHA-256, with a digest composed of 256 bits.
- SSH shows a randomart picture consisting of ASCII characters primarily based on the information in the important thing fingerprint. The important thing’s randomart picture allows people to visually decide whether or not fingerprints for various servers are similar or not. The bits within the fingerprint are handled like directions for an algorithm that outputs the randomart picture.
File kind and naming specs
The ssh-keygen command creates two information, one public and one personal, for the native pc. On this case, the 2 information are:
- id-rsa comprises the personal key. You need to by no means share this file or copy it to any distant system until it’s beneath your management.
- id-rsa.pub comprises the general public key. You possibly can share and replica this file to different methods, particularly whenever you plan to log in to these methods utilizing SSH.
The file identify for different key varieties makes use of the shape ~/.ssh/id_[key type] by default. These information are saved in your house listing in a subdirectory named .ssh.
For instance, the names for DSA keys are:
- Public key identify: ~/.ssh/id_dsa.pub
- Non-public key identify: ~/.ssh/id_dsa
Different key varieties use an identical naming conference, with the ID and key kind included within the file identify. Public keys have a .pub file extension.
The following step to getting computerized robust authentication when connecting to distant SSH servers is copying the general public key to a number of distant servers.
Easy methods to add a key to the ssh-agent
The ssh-agent software shops personal key data in reminiscence, making the keys accessible to be used with out getting into your passphrase for every connection. Manually launch the agent software earlier than starting a sequence of distant SSH connections.
After producing your key pair, you’ll be able to add the personal key to the agent on a Linux system utilizing the ssh-add command. Use the important thing file because the argument.
ssh-add ~/.ssh/{key-file-name}
View the keys accessible within the SSH agent through the use of the ssh-add -l command.
The ssh-agent shops an unencrypted model of the personal key passphrase in reminiscence, making it probably weak to malware that may entry RAM. The appliance doesn’t write the keys to disk — they’re already saved on the disk within the consumer’s house listing.
As a result of ssh-agent is an software, not a service or daemon, it doesn’t persist by reboots. You will need to begin ssh-agent after any system reboot earlier than accessing distant SSH sources as a safety precaution.
There are 3 ways to streamline the usage of ssh-agent. Every entails beginning the applying robotically when the system boots, versus beginning it manually earlier than use.
- Add or uncomment the next line within the SSH configuration file (normally discovered at /and so forth/ssh/sshd_config on Linux methods): AddKeysToAgent sure
- Add the personal key to a keyring service that begins robotically, such because the Gnome Keyring, KWallet or Apple Keyring on macOS.
- Add the next command to your Bash shell profile at ~/.bashrc or ~/.bash_profile: ssh-add ~/.ssh/(key-file-name}
Not each atmosphere requires the ssh-agent, however it’s helpful in some circumstances.
Easy methods to copy a public key to a server
The following step is copying your newly generated public key from the native system to the distant SSH server. When each methods use OpenSSH on a Unix-based OS, together with Linux or macOS, you should use the ssh-copy-id command to put in the important thing. OpenSSH provides the brand new public key to the authorized_keys file. The distant server’s SSH service checks the file when your native pc requests a connection. Right here is an instance:
$ ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]/house/alice/.ssh/authorized_keys
On this instance, OpenSSH copies your public key file into the authorized_keys file.
Nonetheless, the ssh-copy-id command may not all the time be accessible. For instance, Home windows methods use a unique course of. To repeat a public key to a server from a Home windows command line, use the next command:
PS c:> kind $env:USERPROFILE.sshid_rsa.pub | ssh [email protected] “cat >> .ssh/authorized_keys”
This compound command makes use of the Home windows kind command to output the contents of the general public key file. Subsequent, pipe the contents utilizing the | image to a brand new SSH connection. The ultimate quoted part of this command makes use of the cat command on the distant server to append the brand new public key file to the top of the authorized_keys file. This a part of the command is critical to keep away from overwriting the authorized_keys file, which might overwrite any present keys beforehand added to that file.
The general public key now resides within the .ssh/authorized_keys file on the distant server. The following time you or an automatic course of makes an attempt an SSH connection from the native pc, SSH initiates the session with out the necessity to enter your username and password manually.
Logging in to a distant SSH server with out getting into a password each time is handy, however it isn’t the first motive to make use of SSH key-based authentication. Authenticating SSH connections and not using a passphrase allows automated actions on the distant server with out human intervention. Contemplate the next examples:
- Incorporate SSH connections into batch information or shell scripts to automate repetitive actions, corresponding to copying log information or accessing distant electronic mail servers.
- Combine SSH authentication into configuration administration methods, corresponding to Ansible. This method allows the basic connectivity required for infrastructure as code administration.
- Schedule repetitive actions that require authentication however happen when the native pc is unattended.
Correctly carried out SSH key-based authentication is often safer than forcing customers to depend on difficult passwords for methods they could entry occasionally. Do not low cost the comfort to customers, and the flexibility to automate connections is essential.
Notice that SSH key-based authentication isn’t ample for securing entry to delicate methods. Whereas it could actually enhance safety, customers and enterprises should take much more care to forestall unauthorized entry to the native computer systems used to entry distant SSH servers.
Easy methods to copy a public key to a number of servers
Sysadmins, community managers and community safety professionals usually want to connect with many various distant servers utilizing the identical login ID. Massive organizations can use SSH key administration methods to distribute public keys to the distant servers and handle public key pairs for people who want them.
You may also manually copy your public key to the entire servers you entry. You’ll situation the identical command defined above to repeat your public key for every distant server, as seen on this instance:
PS c:> kind $env:USERPROFILE.sshid_rsa.pub | ssh [email protected] “cat >> .ssh/authorized_keys”
This Home windows command sends the general public key file id_rsa.pub to the distant server to affiliate it with the consumer ID alice on the distant server named ssh.instance.org.
Easy methods to copy a number of public keys to a server
Community and safety professionals would possibly want to make use of completely different identities, every with completely different permissions, on the identical distant server. This method compartmentalizes entry and is helpful for the next causes:
- You possibly can assign a number of public key pairs to identities with numerous ranges of privilege on a system for various features to adjust to the precept of least privilege. One key pair would possibly present restricted entry for testing, whereas one other key pair might give administrative entry to the system for managing consumer accounts. The identical can happen for automation instruments.
- An administrator would possibly use completely different public keys when working with a number of inner purchasers to allow auditing for numerous features carried out by the identical consumer.
When including a number of public keys to the identical distant server, the general public key file names are completely different and have to be specified when working the ssh command. Contemplate this instance:
$ ssh -i ~/.ssh/id_Alice [email protected]
This command makes use of the -i choice to specify the ~/.ssh/id_Alice identification file for the distant host to make use of to authenticate the connection.
SSH key administration finest practices
Use the next SSH key administration finest practices to streamline your present SSH infrastructure and enhance it as a part of a broader automation initiative:
- Uncover, stock and doc all keys. You may be unaware of many keys or present credentials for former staff.
- Revoke pointless keys.
- Choose stronger cryptographic algorithms for higher safety.
- Solely allow key-based authentication for individuals who want it. Most customers won’t ever work with SSH.
- Rotate and alter SSH keys periodically.
- Defend personal keys utilizing passphrases.
- Disable password-based authentication within the SSH configuration file (/and so forth/sshd/sshd_config on Linux methods).
- Disable root authentication within the SSH configuration file.
- Handle key-based authentication for Linux, macOS and Home windows methods.
- Doc and configure key-based authentication for automated configuration processes, corresponding to Ansible.
Implementing SSH key-based authentication and following these finest practices helps guarantee a safe and practical SSH deployment for handbook and automatic duties, even in cross-platform environments.
Editor’s notice: This text was initially written by Peter Loshin in 2022. It was up to date by Damon Garn in 2025.
Damon Garn owns Cogspinner Coaction and gives freelance IT writing and modifying providers. He has written a number of CompTIA research guides, together with the Linux+, Cloud Necessities+ and Server+ guides, and contributes extensively to Informa TechTarget, The New Stack and CompTIA Blogs.
