Beginner's Guide to SSH Keys: Generate, Use, and Manage Securely

Secure Shell (SSH) is the de facto standard for secure remote access to servers and other network devices. While password-based authentication is common, it can be vulnerable to brute-force attacks and requires memorizing complex passwords. SSH keys offer a more robust and convenient alternative, enabling passwordless authentication and enhancing your overall security posture.

This guide will walk you through the essential steps of generating, deploying, and managing SSH key pairs. By understanding and implementing these practices, you can significantly improve the security of your remote access and streamline your workflow. We'll cover the core concepts, practical commands, and best practices to get you started with SSH key authentication.

Understanding SSH Key Pairs

SSH key authentication relies on a pair of cryptographic keys: a private key and a public key. These keys are mathematically linked, but it's computationally infeasible to derive the private key from the public key.

• Private Key: This key should be kept secret and should never be shared. It resides on your local machine and acts as your identity. When you initiate an SSH connection, your client uses your private key to prove your identity.
• Public Key: This key can be shared freely. You'll place your public key on the remote servers you want to access. When you attempt to connect, the server uses your public key to verify that you possess the corresponding private key.

When you attempt to connect to a server, the following process occurs:

1. Your SSH client presents your public key to the server.
2. The server checks if this public key is authorized (i.e., present in its authorized_keys file).
3. If authorized, the server sends a challenge to your client.
4. Your client uses your private key to encrypt the challenge and sends the encrypted response back to the server.
5. The server decrypts the response using your public key. If the decryption is successful and matches the original challenge, authentication is granted without the need for a password.

Generating SSH Key Pairs

The most common tool for generating SSH key pairs is ssh-keygen. This command is available on most Linux, macOS, and Windows (via WSL or Git Bash) systems.

Using ssh-keygen

To generate a new SSH key pair, open your terminal or command prompt and run the following command:

ssh-keygen -t ed25519

Let's break down this command:

• ssh-keygen: The command to generate SSH keys.
• -t ed25519: Specifies the type of key to create. ed25519 is a modern, highly secure, and fast elliptic curve cryptography algorithm. Other common options include rsa (e.g., ssh-keygen -t rsa -b 4096 for a 4096-bit RSA key).

Upon running the command, you'll be prompted with a few questions:

1. Enter file in which to save the key (e.g., /home/your_user/.ssh/id_ed25519): Press Enter to accept the default location. This will create two files in your .ssh directory: id_ed25519 (your private key) and id_ed25519.pub (your public key).
2. Enter passphrase (empty for no passphrase): This is a crucial security step. Entering a passphrase encrypts your private key on disk. If your private key file is ever compromised, the attacker would still need the passphrase to use it. It's highly recommended to use a strong passphrase.
3. Enter same passphrase again: Confirm your passphrase.

Understanding the Output Files

After generation, two files will be created in your ~/.ssh/ directory (or the path you specified):

• id_ed25519 (or id_rsa): Your private key. NEVER SHARE THIS FILE. Restrict its permissions to read-only for your user.
• id_ed25519.pub (or id_rsa.pub): Your public key. This is the key you'll distribute to servers.

Securing Your Private Key

It's essential to ensure your private key has the correct file permissions. On Linux/macOS, run:

chmod 600 ~/.ssh/id_ed25519

This command restricts read and write permissions to only the owner of the file, preventing other users on the system from accessing your private key.

Deploying Your Public Key to a Server

Once you have generated your SSH key pair, you need to place your public key on the remote server(s) you wish to access.

Using ssh-copy-id (Recommended)

ssh-copy-id is a utility script that simplifies the process of copying your public key to a remote server. It automatically appends your public key to the ~/.ssh/authorized_keys file on the server and sets the correct permissions.

To use ssh-copy-id, run the following command from your local machine:

ssh-copy-id user@remote_host

Replace user with your username on the remote server and remote_host with the server's IP address or hostname. You will be prompted for the password of the user on the remote_host one last time to authorize the key transfer.

If you are using a non-standard SSH port (e.g., 2222), you can specify it with the -p option:

ssh-copy-id -p 2222 user@remote_host

Manual Deployment (If ssh-copy-id is unavailable)

If ssh-copy-id is not available, you can manually copy your public key. First, display your public key content on your local machine:

cat ~/.ssh/id_ed25519.pub

Copy the entire output. Then, SSH into your remote server using your password:

ssh user@remote_host

Once logged in, create the .ssh directory if it doesn't exist, and then create or append to the authorized_keys file:

mkdir -p ~/.ssh
chmod 700 ~/.ssh

Now, paste your public key content into the authorized_keys file. You can do this using a text editor like nano or vim:

nano ~/.ssh/authorized_keys

Paste the copied public key on a new line. Save and exit the editor.

Finally, ensure the authorized_keys file has the correct permissions:

chmod 600 ~/.ssh/authorized_keys

After completing these steps, you should be able to SSH into the server without a password.

Connecting with SSH Keys

Once your public key is on the server, you can connect using your private key. The SSH client will automatically try to use keys found in ~/.ssh/.

ssh user@remote_host

If you used a passphrase during key generation, you will be prompted to enter it now. If you did not use a passphrase, you will be logged in directly.

Specifying a Different Key

If you have multiple SSH key pairs or your key is not in the default location, you can specify which private key to use with the -i option:

ssh -i /path/to/your/private_key user@remote_host

Managing SSH Keys

As you access more servers, you'll accumulate more SSH keys. Effective management is key to maintaining security and convenience.

SSH Agent

The SSH agent is a background program that holds your private keys in memory, decrypted with your passphrase. This allows you to use your keys for multiple SSH connections without re-entering your passphrase each time.

• Starting the SSH Agent: The agent is often started automatically when you log into your desktop environment. If not, you can start it manually:
  bash eval "$(ssh-agent -s)"
• Adding Keys to the Agent: Once the agent is running, add your private key(s):
  bash ssh-add ~/.ssh/id_ed25519
  You will be prompted for your passphrase. After this, the agent will manage the key, and subsequent SSH connections will use it automatically.

SSH Config File (~/.ssh/config)

The SSH client configuration file (~/.ssh/config) allows you to define aliases for hosts and specify connection parameters, including which key to use for a specific host. This is incredibly useful for managing multiple servers.

Create or edit the file ~/.ssh/config on your local machine and add entries like this:

# Default settings
Host *
  ForwardAgent yes
  ServerAliveInterval 60

# Server 1: Web Server
Host webserver
  HostName 192.168.1.100
  User webadmin
  Port 2222
  IdentityFile ~/.ssh/webserver_key

# Server 2: Database Server
Host dbserver
  HostName db.example.com
  User dbuser
  IdentityFile ~/.ssh/db_key

With this configuration, you can connect to the web server using:

ssh webserver

And to the database server using:

ssh dbserver

The SSH client will automatically use the correct username, port, and private key file as defined in the ~/.ssh/config file.

Key Rotation and Revocation

• Rotation: Regularly consider rotating your SSH keys, especially for highly sensitive systems. This involves generating new keys and replacing the old public keys on servers.
• Revocation: If a private key is compromised or you no longer need access, you must remove the corresponding public key from all authorized_keys files on the servers it was deployed to. This is critical for maintaining security.

Best Practices and Security Tips

• Use Passphrases: Always protect your private keys with strong passphrases. This is your primary defense against unauthorized use if the private key file is stolen.
• Secure Private Key Permissions: Ensure your private key file has 600 permissions (-rw-------).
• Use ssh-agent: Leverage the SSH agent to avoid repeatedly typing your passphrase.
• Disable Password Authentication: Once SSH key authentication is working, consider disabling password-based authentication on your servers for an extra layer of security.
• Keep Keys Updated: Use modern, strong algorithms like Ed25519. Avoid older RSA keys without sufficient bit length (at least 4096).
• Be Mindful of authorized_keys: Only add public keys from trusted sources to your authorized_keys file.
• Regular Audits: Periodically review the authorized_keys files on your servers to ensure only authorized keys are present.

Conclusion

SSH keys are a powerful tool for enhancing the security and convenience of remote server management. By mastering the generation, deployment, and management of SSH key pairs using tools like ssh-keygen and ssh-copy-id, you can move beyond password-based authentication and establish a more secure and efficient remote access workflow. Remember to prioritize security by using strong passphrases and securing your private keys.