Linux

Linux: Signing in with SSH Keys

Creating SSH Keys is a simple process with a slight knowledge of the commands required.

Jul 3, 2024 • 3 min read

TLDR;

ssh-keygen -f ~/.ssh/paul-key -t ecdsa -b 521 -C "New Token"
#Write contents of paul-key.pub to remove server in ~/.ssh/authorized_keys or
ssh-copy-id -i ~/.ssh/paul-key paul@192.168.42.5
ssh -i paul-key paul@192.168.42.5

Summary

When you use SSH to authenticate to Linux, there are many authentication mechanisms available. One popular way is to use an SSH Key. This is a Public/Private Key pair that is used during the authentication secret exchange. In this case, the server has a public key that is used to validate the private key on the client.

Creating a Public/Private Key Pair

An SSH Key consists of a public key and a private key. The first step is to create a valid key pair. This is done on the computer you are authenticating from as the private key needs to be protected and copied as few times as possible.

💡

Starting with Windows 10 and Windows Server 2019 the required tools are included in the operating system so ssh-keygen works in Windows as well as Linux.

Key Pairs can be creating using a variety of different methods and hash types. This can be complex and the detail will be covered in an article on Public/Private Key generation. Which will be linked here when it is done.

Ultimately this comes down to selecting between RSA 2048, RSA 4096 and Ed25519. the RSA methods are universally supported and 4096 is more secure because it generates a longer key but that also makes it take more processing power. Ed25519 is relatively new and is faster but retains much of the security with a shorter key.

#This example creates a key in the .ssh folder called "mykey-key"
#If using ED25519, a 521 bit lenght is sufficient.
ssh-keygen -f ~/.ssh/paul-key -t ecdsa -b 521 -C "linux authentication for paul"
#If using RSA, a higher bit length is needed.
ssh-keygen -f ~/.ssh/paul-key -t rsa -b 4096 -C "linux authentication for paul"

This is what executing that command looks like. I did enter a passphrase which is not displayed.

Generating public/private ecdsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in paul-ecdsa
Your public key has been saved in paul-ecdsa.pub
The key fingerprint is:
SHA256:ueHasOr9/yBdyShf2qw6xxiBYACHZji7X6G3mm0IT2Q linux authentication for paul
The key's randomart image is:
+---[ECDSA 521]---+
|ooo.             |
|++  o            |
|oo . . .         |
|. E . . .. o .   |
| + . .  S.. =    |
|o o o  ..* *     |
| = + .. ++= o    |
|  +oo. =o.oo     |
|  o++.+.+=o..    |
+----[SHA256]-----+

This created two files:

"paul-key" contains the private key. This file must be kept private and you need to make sure unauthorized user cannot access this file as it is the equivalent to your password. It looks like this:

"paul-key.pub" contains the public key. This is the text that is provided to remote servers that they can use to authenticate you have the private key. It looks like this:

ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAATK8AOcO7s67LDJfopElE8btanZdf1V77eTFNqjWu7juW6LScrADMrTwHiLrlNs03e0qvJD/aTQownLalVWZkN2gF0Z1Z83RgzspiWjZOYhpHpkNEBY7imytX2plyUeM7jp99NQnENaTSU4ZpE2LGdzVBxvQha4UWN2rAt9xBrH7CM9w== linux authentication for paul

In the public key, anything after "==" is just a comment. This become important in the next step.

Install Key to Remote Linux Server

This process covers using the public key to allow a user to authenticate with ssh given the default configuration of Linux.

Manually

Your user folder should have a subfolder called .ssh which you can create if needed.in this folder should be a file called authorized_keys. And you simply add the line in the public key file to that file. This is where the comment becomes important.

here you can see the file path and contents. In this example there are 2 different keys being accepted:

paul@test-vm1:~$ cat ~/.ssh/authorized_keys

ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAATK8AOcO7s67LDJfopElE8btanZdf1V77eTFNqjWu7juW6LScrADMrTwHiLrlNs03e0qvJD/aTQownLalVWZkN2gF0Z1Z83RgzspiWjZOYhpHpkNEBY7imytX2plyUeM7jp99NQnENaTSU4ZpE2LGdzVBxvQha4UWN2rAt9xBrH7CM9w== linux authentication for paul
ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBADU7uHEKnCip33rO8A/E6cCRf7gmSZaMmx3TN1vDPa6kQaLqbTqWKg0voucj/mPNnp3Hkw9Cz6D44JiNyAAk62EMwAcXzm7ju90AfiZBrGsWTSGVhEEPKvSfYJWxxDBz+/Ts3QSn/XoYfCrXEP+3koCQbGJgBLFz5QHpAeTeBZbi6Ef6A== yubikey token

paul@test-vm1:~$

Notice that each key takes up one single line in the file.

This shows the use of the comment. In this case if I lose my Yubikey then I can delete that line, or replace it with the appropriate entry, but the scripts that use the first key will continue to function properly.

ssh-copy-id

If you are using linux to generate the key, you can use the command ssh-copy-id to upload your public key to remote linux servers.

ssh-copy-id -i ~/.ssh/paul-key paul@192.168.42.5

This command will ask for your password for the remote server and then install the key exactly like the manual process does.

Using the SSH Key

Using the ssh key is fairly simple. You simply have to point your ssh client to the private keyfile. The command is the same in Windows and Linux.

ssh -i paul-key paul@192.168.42.5

If you have a passphrase on the key you will have to enter the passphrase.

And just like that, you are signed in! If you try and sudo but don't have NOPASSWORD enabled, then you need to know the password for the account in order to use sudo.