The term SSH keys will certainly come up if you spend lots of time in an IT ecosystem, especially with the increase of cloud infrastructure such as Amazon Web Services (AWS). It’s possible that you must be wondering what SSH keys are.
Secure Shell Protocol (SSH) is an access credential that is used in the SSH protocol, and they are important for modern Infrastructure-as-a-Service platforms such as Amazon Web Services (AWS), Google Cloud Platform (Google Cloud), and Microsoft Azure.
It is advised to use SSH keys rather than passwords for access control, even though SSH supports password-based verification. SSH keys provide a more secure option of logging into an SSH server than traditional passwords because they are not susceptible to various brute-force password hacking attacks.
A public and a private key are generated when you generate an SSH key pair. To connect to a server, you can use an SSH client with access to the private key and the public key. The SSH server grants access without the need for a password if the public and private keys are the same. A passphrase for the private key is optional but highly recommended if you want to further strengthen the security of your key pair.
Step 1: Create the Key Pair
A key pair must first be created on the client machine before other steps can be taken. This is most likely going to be your local computer. Enter the mentioned below command into your local command line to begin the process:
ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
A confirmation that the key generation process has begun will display on the screen. And, you will be compelled to provide some information, which we will discuss in detail in the following step.
Step 2: Identifying The Location Where The Keys Will Be Saved
After running the ssh-keygen command, you’ll be prompted with a question about where you want to save the keys:
Enter file in which to save the key (/home/sammy/.ssh/id_ed25519):
Now, you can press ENTER to save all the files in the default location in the .ssh of the home directory. Another option is to type another file name or location after the prompt and then press ENTER to make your selection.
Step 3: Create the Passphrase
When you run ssh-keygen for the second and final time, it will ask you to enter a passphrase.
Enter passphrase (empty for no passphrase):
Unauthorized users will be able to sign in to any server that you’ve configured with the associated public key if a private key without a passphrase is discovered in their ownership. Using an ssh-agent service, which will safely store your unlocked key and make it available to your SSH client, can alleviate the main disadvantage of having a passphrase, which is having to type it in. All of these agents are designed to work in conjunction with your operating system’s native keychain, attempting to make the unlocking process that much more effortless for you.
Step 4: Copy The Public Key To Your Server
As soon as the key pair has been generated, it is necessary to store the public key on the server to which you wish to connect.
SSH-copy-id allows users to download the public key into the server’s authorized keys folder located in the authorized keys directory. Make sure to replace the following examples of username and address with your own:
As soon as the command has been successfully executed, you can log into the server via SSH without asking for a password. If you set a passphrase when creating your SSH keys, you will be prompted to enter it now. Your local ssh client is requesting that you decrypt the private key; it is not the remote server requesting that you enter a password.
Step 5: Disabling Password-Based SSH Authentication (Optional)
As soon as you have copied your SSH keys onto the server, you may want to make it impossible for anyone to log in with a password by customizing the SSH server to reject password-based authentication.
To disable password-based SSH authentication, navigate the SSH configuration file and make the necessary changes. In most cases, it can be found at the following address:
sudo nano /etc/ssh/sshd_config
The file will be opened in the nano text editor due to this command. Locate the line in the file that contains PasswordAuthentication (or generate the line if it doesn’t already occur), make sure it is not commented out by including # at the start of the line, and change it to the following value:
When you’re finished, save and close the file. CTRL+O will save the file, then ENTER will confirm the filename, and finally, CTRL+X will exit nano.
To make these modifications effective, restart the sshd service.
sudo systemctl reload sshd
Making another test connection in another terminal to ensure that you can still connect is recommended before exiting your current SSH session.