SSH keys can serve as a means of identifying yourself to an SSH server using public-key cryptography and challenge-response authentication. The major advantage of key-based authentication is that in contrast to password authentication it is not prone to brute-force attacks and you do not expose valid credentials, if the server has been compromised.
Furthermore SSH key authentication can be more convenient than the more traditional password authentication. When used with a program known as an SSH agent, SSH keys can allow you to connect to a server, or multiple servers, without having to remember or enter your password for each system.
Key-based authentication is not without its drawbacks and may not be appropriate for all environments, but in many circumstances it can offer some strong advantages. A general understanding of how SSH keys work will help you decide how and when to use them to meet your needs.
In this guide, we’ll set up SSH keys for a CentOS 7
Generate a Key Pair
- Open Terminal
# ssh-keygen
Enter file in which to save the key (/home/<username>/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/<username>/.ssh/id_rsa.
Your public key has been saved in /home/<username>/.ssh/id_rsa.pub.
The key fingerprint is: SHA256:gGJtSsV8BM+7w018d39Ji57F8iO6c0N2GZq3/RY2NhI
username@hostname
The key's randomart image is:
+---[RSA 3072]----+
| ooo. |
| oo+. |
| + +.+ |
| o + + E . |
| . . S . . =.o|
| . + . . B+@o|
| + . oo*=O|
| . . .+=o+|
| o=ooo+|
+---- [SHA256] -----+
You now have a public and private key that you can use to authenticate. The next step is to place the public key on your server so that you can use SSH-key-based authentication to log in.
Upload your Public Key
There are a few different ways to upload your public key
1. Using ssh-copy-id
ssh-copy-id is a utility available on some operating systems that can copy a SSH public key to a remote server over SSH.
# ssh-copy-id username@remote_host
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/your_username/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys your_username@remote_host password:
Number of key(s) added: 1
Now try logging into the machine, with: «ssh ‘username@remote_host‘ « and check to make sure that only the key(s) you wanted were added.
2. Using Secure Copy (scp)
Secure Copy (scp) is a tool that copies files from a local computer to a remote server over SSH
Connect to your server via SSH with the user you would like to add your key to:
# ssh your_username@remote_host
Create the ~/.ssh directory and authorized_keys file if they don’t already exist:
# mkdir -p ~/.ssh && touch ~/.ssh/authorized_keys
Give the ~/.ssh directory and authorized_keys files appropriate file permissions:
# chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys
In terminal on your local machine, use scp to copy the contents of your SSH publickey(id_rsa.pub) into the authorized_keys file on your server.
# scp ~/.ssh/id_rsa.pub your_username@remote_host:~/.ssh/authorized_keys
Now you can log in to the server with your key.
3. Copying Public Key Manually
If you do not have password-based SSH access to your server available, you will have to complete the above process manually.
We will manually append the content of your id_rsa.pub file to the ~/.ssh/authorized_keys file on your remote machine.
To display the content of your id_rsa.pub key, type this into your local computer:
# cat ~/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyVGaw1PuEl98f4/7Kq3O9ZIvDw2OFOSXAFVqilSFNkHlefm1iMtPeqsIBp2t9cbGUf55xNDULz/bD/4BCV43yZ5lh0cUYuXALg9NI29ui7PEGReXjSpNwUD6ceN/78YOK41KAcecq+SS0bJ4b4amKZIJG3JWmDKljtv1dmSBCrTmEAQaOorxqGGBYmZS7NQumRe4lav5r6wOs8OACMANE1ejkeZsGFzJFNqvr5DuHdDL5FAudW23me3BDmrM9ifUzzjl1Jwku3bnRaCcjaxH8oTumt1a00mWci/1qUlaVFft085yvVq7KZbF2OPPbl+erDW91+EZ2FgEi+v1/CSJ5 your_username@hostname
Note that the public key begins with ssh-rsa and ends with your_username@hostname
Copy that text, connect to your server via SSH with the user you would like to add your key to:
# ssh your_username@remote_host
Create the ~/.ssh directory and authorized_keys file if they don’t already exist:
# mkdir -p ~/.ssh && touch ~/.ssh/authorized_keys
Give the ~/.ssh directory and authorized_keys files appropriate file permissions:
# chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys
Open the authorized_keys file with the text editor. Then, paste the contents of your public key that you copied in step one on a new line at the end of the file. Save and close the file.
Now you can log in to the server with your key.
Creating SSH shortcuts
Instead of using SSH on an IP address that you’ll definitely forget, you can use shortcuts instead
# cd ~/.ssh
# vi config
Add an entry for each computer you want to connect to, like this:
Host test
HostName remote_host
Port 22
User your_username
IdentityFile ~/.ssh/id_rsa
Now, you can ssh into the server with the shortcut.
# ssh test
You should now have SSH-key-based authentication configured on your server, allowing you to sign in without providing an account password.