SSH, or Secure Shell, is a protocol that allows you to securely connect to remote servers and execute commands over an encrypted channel. SSH is widely used for system administration, file transfer, and tunneling other applications. SSH can also run graphical applications over the network with X11 forwarding.

One of the main advantages of SSH is that it supports public key authentication, which is a more secure and convenient way of logging in than using passwords. With public key authentication, you generate a pair of keys: a private key that you keep secret, and a public key that you share with the server. When you connect to the server, the server verifies that you have the matching private key, and grants you access without asking for a password.

In this article, you will learn how to generate SSH keys on Linux using different tools, how to use them to connect to remote servers, and how to manage and secure them properly.

What are SSH Keys and Why Use Them?

SSH keys are cryptographic keys that use a public key cryptosystem. A public key cryptosystem is a method of encryption that uses two different keys: a public key and a private key. The public key can be used to encrypt data, but not decrypt it. The private key can be used to decrypt data encrypted with the public key, but not encrypt it. This way, you can share your public key with anyone, but keep your private key secret.

SSH keys work as follows:

• You generate a pair of keys on your local machine: a private key and a public key.
• You copy your public key to the server that you want to connect to.
• When you connect to the server, the server sends you a challenge encrypted with your public key.
• You decrypt the challenge with your private key and send it back to the server.
• The server verifies that the challenge matches the one it sent, and authenticates you.

Using SSH keys has several benefits over using passwords:

• SSH keys are more secure, because they are almost impossible to guess or crack by brute force attacks.
• SSH keys are more convenient, because you don’t have to remember or type passwords every time you connect.
• SSH keys can also enable single sign-on (SSO), which means that you can use one key pair to access multiple servers or services.

How to Generate SSH Keys on Linux

There are different tools that you can use to generate SSH keys on Linux. The most common ones are OpenSSH and OpenSSL, which are command-line utilities that come pre-installed on most Linux distributions. You can also use graphical tools such as PuTTYgen or GNOME Keyring, which provide a user- friendly interface for creating and managing SSH keys.

In this section, we will show you how to generate SSH keys on Linux using OpenSSH and PuTTYgen.

Generating SSH Keys with OpenSSH

OpenSSH is the standard implementation of SSH for Linux. It provides a set of tools for creating and managing SSH keys, such as ssh-keygen, ssh-copy-id, ssh-add, and ssh-agent.

To generate a new SSH key pair with OpenSSH, follow these steps:

• Open a terminal window and run the following command:

  ssh-keygen -t rsa

This will create a 2048-bit RSA key pair by default. You can specify a different type of key (such as ed25519 or ecdsa) or a different size (such as 4096) by changing the -t and -b options respectively.

• You will be prompted to enter a file name for your key pair. You can accept the default location (~/.ssh/id_rsa for the private key and ~/.ssh/id_rsa.pub for the public key) or enter a custom one. It is recommended to use different file names for different servers or purposes.

• You will also be prompted to enter a passphrase for your private key. This is an optional but highly recommended step, as it adds an extra layer of security to your key. A passphrase is like a password that you have to enter every time you use your key. You can leave it blank if you don’t want to use one, but be aware that this will make your key vulnerable if someone gets access to it.

• Once you have entered the file name and the passphrase, the command will generate your key pair and display a message like this:

  Your identification has been saved in /home/user/.ssh/id_rsa. Your public key has been saved in /home/user/.ssh/id_rsa.pub. The key fingerprint is: SHA256:xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx user@host The key’s randomart image is: +--- [RSA 2048] ----+ | | | | | | | | | | | | | | | | | | +---- [SHA256] -----+

• You can verify that your key pair has been created by listing the files in the ~/.ssh directory:

  ls -l ~/.ssh total 8 -rw------- 1 user user 1679 Aug 18 22:59 id_rsa -rw-r—r— 1 user user 397 Aug 18 22:59 id_rsa.pub

• You can also view the contents of your public key by using the cat command:

  cat ~/.ssh/id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx user@host

Generating SSH Keys with PuTTYgen

PuTTYgen is a graphical tool for generating and converting SSH keys on Windows. It is part of the PuTTY suite, which is a popular SSH client for Windows. You can download PuTTYgen from the official website.

To generate a new SSH key pair with PuTTYgen, follow these steps:

• Launch PuTTYgen by double-clicking on its icon or going to the Start menu and selecting it from the list of programs.
• Select the type of key that you want to generate from the Parameters section. The default is RSA, but you can also choose ED25519, ECDSA, or DSA. You can also change the number of bits in the generated key by moving the slider or entering a value in the box. The recommended minimum is 2048 bits for RSA and ECDSA, and 256 bits for ED25519 and DSA.
• Click on the Generate button to start generating your key pair. You will be asked to move your mouse over the blank area to generate some randomness for the key.
• Once the key pair is generated, you will see your public key in the Key section, and a fingerprint and a randomart image in the Key fingerprint and Key comment sections respectively.
• You can optionally enter a passphrase for your private key in the Key passphrase and Confirm passphrase boxes. This is similar to the passphrase option in OpenSSH, and it adds an extra layer of security to your key. If you don’t want to use a passphrase, leave these boxes blank.
• You can also optionally change the comment for your key in the Key comment box. This is a text that identifies your key, and it is usually your username or email address. You can leave it as it is or enter a custom one.
• To save your private key, click on the Save private key button and choose a file name and location for it. The file will have a .ppk extension, which stands for PuTTY Private Key. This file format is different from the OpenSSH format, so you will need to convert it if you want to use it with OpenSSH or other SSH clients.
• To save your public key, click on the Save public key button and choose a file name and location for it. The file will have a .pub extension, which stands for Public Key. This file format is compatible with OpenSSH, so you can use it as it is or copy its contents to another file.
• You can also copy your public key directly from the PuTTYgen window by selecting all the text in the Key box and pressing Ctrl+C or right-clicking and choosing Copy.

How to Use SSH Keys to Connect to Remote Servers

Once you have generated your SSH keys, you need to copy your public key to the server that you want to connect to. This will allow the server to recognize and authenticate you when you connect with your private key.

There are different ways of copying your public key to a server, depending on what tools you are using. In this section, we will show you how to do it with OpenSSH and PuTTY.

Copying Your Public Key with OpenSSH

OpenSSH provides a handy tool called ssh-copy-id, which automates the process of copying your public key to a remote server. To use it, follow these steps:

• Open a terminal window and run the following command:

  ssh-copy-id user@host

Replace user with your username on the remote server, and host with the hostname or IP address of the server.

• You will be prompted to enter your password for the remote server. This is the last time you will need to use it, as from now on you will be able to connect with your SSH key.

• The command will append your public key to the ~/.ssh/authorized_keys file on the remote server. This file contains a list of public keys that are allowed to access the server. You can verify that your key has been added by running the following command:

  ssh user@host cat ~/.ssh/authorized_keys

You should see your public key in the output.

Copying Your Public Key with PuTTY

PuTTY does not have a built-in tool for copying your public key to a remote server. However, you can use a third-party tool such as WinSCP, which is a graphical file transfer client for Windows. You can download WinSCP from the official website.

To copy your public key with WinSCP, follow these steps:

• Launch WinSCP by double-clicking on its icon or going to the Start menu and selecting it from the list of programs.
• Enter the hostname or IP address of the remote server in the Host name box, and your username and password in the User name and Password boxes. Make sure that the File protocol is set to SFTP and the Port number is set to 22.
• Click on the Login button to connect to the remote server. You may see a warning message about the host key verification. Click on Yes to accept it.
• Once you are connected, you will see two panels: the left one shows the files and folders on your local machine, and the right one shows the files and folders on the remote server.
• Navigate to the folder where you saved your public key file (.pub) on your local machine, and select it by clicking on it.
• Drag and drop it to the ~/.ssh folder on the remote server. You may see a confirmation dialog. Click on Copy to confirm.
• Double-click on the ~/.ssh folder on the remote server to open it. You should see your public key file there.
• Right-click on your public key file and select Edit from the context menu. This will open it in a text editor.
• Select all the text in the file and copy it by pressing Ctrl+C or right-clicking and choosing Copy.
• Close the text editor and delete your public key file from the ~/.ssh folder by right-clicking on it and choosing Delete from the context menu. Confirm by clicking on OK.
• Right-click on the authorized_keys file in the ~/.ssh folder and select Edit from the context menu. This will open it in a text editor.
• Paste your public key at the end of the file by pressing Ctrl+V or right-clicking and choosing Paste.
• Save and close the file by clicking on File > Save and File > Exit from the menu bar. You have now successfully copied your public key to the remote server using WinSCP.

How to Connect to Remote Servers Using SSH Keys

After copying your public key to the remote server, you can connect to it using SSH without entering a password. Depending on what tool you are using, there are different ways of doing this.

In this section, we will show you how to connect to remote servers using SSH keys with OpenSSH and PuTTY.

Connecting with OpenSSH

To connect to a remote server using OpenSSH, follow these steps:

• Open a terminal window and run the following command:

  ssh user@host

Replace user with your username on the remote server, and host with the hostname or IP address of the server.

• If you have used a passphrase for your private key, you will be prompted to enter it. If not, you will be logged in directly.

• You should see a welcome message from the remote server, and a shell prompt where you can type commands.

• To exit the SSH session and return to your local shell, type:

  exit

You have now successfully connected to the remote server using OpenSSH.

Connecting with PuTTY

To connect to a remote server using PuTTY, follow these steps:

• Launch PuTTY by double-clicking on its icon or going to the Start menu and selecting it from the list of programs.

• Enter the hostname or IP address of the remote server in the Host Name (or IP address) box. Make sure that the Port is set to 22 and the Connection type is set to SSH.

• On the left panel, expand the SSH category and click on Auth.

• Click on the Browse button and locate your private key file (.ppk) on your local machine. Select it and click on Open.

• On the left panel, click on Session to go back to the main window. You can also save these settings for future use by entering a name in the Saved Sessions box and clicking on Save. - This will allow you to load the same settings by selecting the name from the list and clicking on Load.

• Click on the Open button to connect to the remote server. You may see a warning message about the host key verification. Click on Yes to accept it.

• If you have used a passphrase for your private key, you will be prompted to enter it. If not, you will be logged in directly.

• You should see a welcome message from the remote server, and a shell prompt where you can type commands.

• To exit the SSH session and return to your local shell, type:

  exit

You have now successfully connected to the remote server using PuTTY.

How to Manage and Secure Your SSH Keys

SSH keys are powerful tools that can enhance your security and convenience when working with remote servers. However, they also come with some responsibilities and risks that you need to be aware of and mitigate.

In this section, we will provide some tips and best practices on how to manage and secure your SSH keys properly.

Use Passphrases for Your Private Keys

One of the most important things you can do to protect your SSH keys is to use passphrases for your private keys. A passphrase is like a password that you have to enter every time you use your key. This adds an extra layer of security to your key, as even if someone gets access to your key file, they won’t be able to use it without knowing your passphrase.

To add or change a passphrase for your private key, you can use the following command:

ssh-keygen -p -f path/to/key

Replace path/to/key with the location of your private key file. You will be prompted to enter your old passphrase (if any) and your new passphrase (twice).

To avoid typing your passphrase every time you use your key, you can use a tool called ssh-agent, which stores your decrypted keys in memory and provides them to SSH when needed. To use ssh-agent, follow these steps:

• Start ssh-agent by running the following command:

  eval $(ssh-agent)

• This will start ssh-agent in the background and set some environment variables that SSH will use.

• Add your private key to ssh-agent by running the following command:

  ssh-add path/to/key

• Replace path/to/key with the location of your private key file. You will be prompted to enter your passphrase once.

• You can now connect to remote servers using SSH without entering your passphrase again, as long as ssh-agent is running.

• To list the keys that are currently loaded in ssh-agent, run the following command:

  ssh-add -l

• To remove all keys from ssh-agent, run the following command:

  ssh-add -D

Using passphrases for your private keys can prevent unauthorized access to your remote servers if someone steals or compromises your key file. However, you should also make sure that you store your key file securely and avoid exposing it to others.

Store Your SSH Keys Securely

Another good practice is to store your SSH keys securely on your local machine or server. This means that you should keep them in a dedicated SSH key directory, such as ~/.ssh, and set the appropriate permissions and ownership for them.

To set the permissions and ownership for your SSH key files, follow these steps:

• Open a terminal window and navigate to the directory where you store your SSH keys, such as ~/.ssh.

• Run the following command to change the ownership of the directory and its contents to your user name and group:

  sudo chown -R user:group ~/.ssh

• Replace user with your user name and group with your group name. You can find them by running the whoami and groups commands respectively.

• Run the following command to change the permissions of the directory and its contents to make them readable and writable only by you:

  sudo chmod -R 600 ~/.ssh

Storing your SSH keys securely can prevent others from accessing or modifying them without your permission. However, you should also avoid sharing them with others or uploading them to public places.

Avoid Sharing Your SSH Keys with Others

Another good practice is to avoid sharing your SSH keys with others, especially your private keys. Your private keys are meant to be kept secret and used only by you. Sharing them with others can compromise their security and expose you to potential attacks.

If you need to grant access to a remote server or service to someone else, you should create a separate SSH key pair for them and add their public key to the server or service. This way, you can control their access level and revoke it if needed.

To create a separate SSH key pair for someone else, follow these steps:

• Open a terminal window and run the following command:

  ssh-keygen -t rsa -f ~/.ssh/id_rsa_user

Replace user with the name of the person you want to create the key pair for. This will create a 2048-bit RSA key pair with the file names id_rsa_user and id_rsa_user.pub.

• You will be prompted to enter a passphrase for the private key. You can either enter one or leave it blank. However, it is recommended to use a passphrase for security reasons.

• Once the key pair is generated, you can copy the public key file (id_rsa_user.pub) to the person you want to grant access to. You can either send it via email, chat, or other secure methods.

• The person who receives the public key file can then copy it to the remote server or service that they want to access. They can use the same methods as described in the previous section on how to copy your public key with OpenSSH or PuTTY.

• To connect to the remote server or service using the new SSH key pair, the person needs to specify the private key file (id_rsa_user) when using SSH. For example, they can run the following command:

  ssh -i ~/.ssh/id_rsa_user user@host

Replace user with their username on the remote server or service, and host with the hostname or IP address of the server or service.

Avoiding sharing your SSH keys with others can prevent unauthorized access to your remote servers or services if someone misuses or loses your keys. However, you should also monitor and audit your SSH keys regularly.

Monitor and Audit Your SSH Keys Regularly

Another good practice is to monitor and audit your SSH keys regularly. This means that you should keep track of your SSH keys and their usage, and review them periodically for any anomalies or issues.

Some of the things that you should monitor and audit are:

• The number and location of your SSH keys. You should know how many SSH keys you have, where they are stored, and what they are used for.
• The access level and expiration date of your SSH keys. You should know what servers or services your SSH keys can access, and for how long they are valid.
• The activity and performance of your SSH keys. You should know how often your SSH keys are used, by whom, and for what purpose.

Monitoring and auditing your SSH keys regularly can help you detect and prevent any potential problems or threats, such as:

• SSH key sprawl. This is when you have too many SSH keys that are not managed properly, leading to security risks and operational challenges.
• SSH key compromise. This is when someone gains unauthorized access to your SSH keys, either by stealing them, cracking them, or exploiting a vulnerability in the server or service that uses them.
• SSH key misuse. This is when someone uses your SSH keys for malicious or unauthorized purposes, such as accessing sensitive data, installing malware, or launching attacks.

To prevent or recover from these problems or threats, you should take some actions, such as:

• Revoking or replacing your compromised or misused SSH keys. This means that you should remove them from the servers or services that they can access, and generate new ones if needed.
• Updating or patching your servers or services that use SSH keys. This means that you should apply the latest security updates or fixes to the software that runs on the servers or services that use SSH keys, such as SSH itself, operating systems, applications, etc.
• Implementing or enforcing policies and procedures for SSH key management. This means that you should define and follow some rules and guidelines for creating, using, storing, sharing, monitoring, auditing, and revoking SSH keys. By following these actions, you can improve the security and efficiency of your SSH key management and usage.

Conclusion

In this article, we have learned how to generate SSH keys on Linux using different tools, how to copy them to remote servers using different methods, how to connect to remote servers using SSH keys without passwords, and how to manage and secure your SSH keys properly.

SSH keys are powerful tools that can enhance your security and convenience when working with remote servers. However, they also come with some responsibilities and risks that you need to be aware of and mitigate.

We hope that this article has helped you understand and use SSH keys better.