DevOps Knowledge Hub
DevOps Knowledge Hub

How to Generate and Secure SSH Keys for Remote Access

Master secure remote access by learning to generate robust SSH key pairs using `ssh-keygen`. This guide covers best practices for selecting key types (Ed25519), securing your private key with a passphrase, efficiently deploying the public key using `ssh-copy-id`, and utilizing `ssh-agent` for seamless authentication. Ensure your infrastructure is protected against brute-force attacks by implementing key-based access control.

30 views

How to Generate and Secure SSH Keys for Remote Access

Secure Shell (SSH) is the standard protocol for securely connecting to remote servers and systems. While password authentication is common, using SSH key pairs offers a significantly stronger, more convenient, and more resilient method of authentication. This comprehensive guide walks you through generating robust SSH key pairs, securing them with passphrases, and utilizing the ssh-agent for seamless, secure remote access.

Understanding key management is crucial for maintaining the security of your infrastructure. By replacing vulnerable passwords with cryptographic keys, you mitigate risks associated with brute-force attacks and credential stuffing, establishing a bedrock of secure remote connectivity.

Understanding SSH Key Pairs

An SSH key pair consists of two distinct components:

  1. The Private Key: This key must never be shared. It stays securely on your local machine and is used to prove your identity to the remote server.
  2. The Public Key: This key is freely shared and uploaded to the ~/.ssh/authorized_keys file on the remote server(s) you wish to access. The server uses this key to verify the signature generated by your private key.

Choosing the Right Algorithm

When generating keys, it is essential to select a modern, strong cryptographic algorithm. RSA is still widely used, but Ed25519 is often recommended for its speed and strong security guarantees.

Step 1: Generating the SSH Key Pair

The ssh-keygen utility is the standard tool for creating SSH key pairs on Linux, macOS, and Windows (via Git Bash or WSL).

To create a modern Ed25519 key, use the following command. We specify the key type (-t ed25519) and provide a comment (-C) to help identify the key's purpose or owner:

ssh-keygen -t ed25519 -C "[email protected]_or_host_name"

When prompted:

  1. Enter file in which to save the key: Press Enter to accept the default location (/home/user/.ssh/id_ed25519).
  2. Enter passphrase (recommended): Always set a strong passphrase. This encrypts your private key, so even if someone steals the file, they cannot use it without the passphrase.

Generating an RSA Key (Alternative)

If compatibility with very old systems is required, you can generate an RSA key, ensuring you specify a sufficient key length (at least 4096 bits):

ssh-keygen -t rsa -b 4096 -C "your_rsa_key_comment"

Key Output Files

After generation, two files are created in your ~/.ssh/ directory (assuming defaults):

  • id_ed25519 (or id_rsa): Your Private Key
  • id_ed25519.pub (or id_rsa.pub): Your Public Key

Security Best Practice: Never share the file without the .pub extension. Set restrictive permissions on your private key (chmod 600 ~/.ssh/id_ed25519).

Step 2: Copying the Public Key to the Server

The remote server must have your public key in its ~/.ssh/authorized_keys file to grant access.

Using ssh-copy-id (The Easiest Method)

The ssh-copy-id utility automates the process, handling directory creation and permission settings on the remote server. You will need to authenticate with a password one last time for this initial setup.

ssh-copy-id user@remote_host_ip

If successful, the command will inform you that the keys have been added. You can now attempt to log in.

Manual Copy (If ssh-copy-id is Unavailable)

If you cannot use ssh-copy-id, you can manually append the public key content. First, display the public key:

cat ~/.ssh/id_ed25519.pub

Then, log into the remote server using your password and append the output to the authorized_keys file:

# On the remote server
mkdir -p ~/.ssh
chmod 700 ~/.ssh
# Replace <PASTE_YOUR_PUBLIC_KEY_HERE> with the actual key content
echo "<PASTE_YOUR_PUBLIC_KEY_HERE>" >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys

Step 3: Securing Access with ssh-agent

Typing your passphrase every time you connect to a server becomes tedious. The ssh-agent is a background program that securely holds your decrypted private keys in memory, allowing you to use them without repeatedly entering the passphrase.

Starting and Using ssh-agent

  1. Ensure the agent is running: On most modern Linux/macOS systems, the agent starts automatically when you log in. You can check its status by looking for the environment variables:

    bash echo $SSH_AUTH_SOCK

  2. Add your key to the agent: Use the ssh-add command to load your private key. You will be prompted for the passphrase only once.

    ```bash
    ssh-add ~/.ssh/id_ed25519

    Enter passphrase for /home/user/.ssh/id_ed25519: ****

    Identity added: /home/user/.ssh/id_ed25519 (comment)

    ```

  3. Verify loaded keys:

    bash ssh-add -l

Now, when you run ssh user@remote_host_ip, the connection will authenticate using the key held by the agent without asking for the passphrase again (until the agent session ends).

Important ssh-agent Notes

  • Session Dependent: The keys loaded into the agent are typically only available for the current terminal session or desktop login session. You will need to re-run ssh-add after logging out and back in.
  • Key Lifetime: You can set a maximum lifetime for keys held in the agent using the -t flag (e.g., ssh-add -t 1h ~/.ssh/id_ed25519 keeps the key loaded for one hour).

Advanced Security: Disabling Password Authentication

Once you have confirmed that key-based authentication works flawlessly across all required servers, the strongest security measure is to disable password-based logins entirely. This prevents brute-force attacks against passwords.

  1. Connect to your server via SSH using your key.

  2. Edit the SSH daemon configuration file, usually located at /etc/ssh/sshd_config:

    bash sudo nano /etc/ssh/sshd_config

  3. Find and set the following directives:

    ```config

    Ensure this is set to yes (usually default)

    PubkeyAuthentication yes

    Disable password logins

    PasswordAuthentication no
    ```

  4. Restart the SSH service to apply changes:

    ```bash
    sudo systemctl restart sshd # For systemd-based systems (most modern Linux)

    OR

    sudo service ssh restart # Older systems
    ```

Warning: Before disabling password authentication, ensure you have successfully logged in at least once using your new key. Locking yourself out due to a configuration error is a common, recoverable mistake, but it requires console or alternative access.

Summary and Next Steps

Generating and managing SSH keys is a fundamental skill for secure system administration. By following these steps—generating modern Ed25519 keys, protecting the private key with a strong passphrase, securely installing the public key on target servers, and leveraging ssh-agent—you establish a highly secure and efficient authentication mechanism.

Next Steps:

  • Generate a unique key pair for every major system or service you access.
  • Regularly audit the authorized_keys file on critical servers.
  • Use different passphrases for different key pairs if possible, or at least ensure they are complex.