SSH (Secure Shell) is a cryptographically secured protocol used to manage and communicate with servers. If you are working with an Ubuntu server, you will probably spend most of your time in a terminal session connected to your server via SSH.
In this guide, we will focus on setting up SSH keys for an Ubuntu 22.04 installation. SSH keys provide a secure way to log in to your server and are recommended for all users.
Step 1 – Create the key pair
The first step is to create a key pair on the computer:
ssh-keygen
Current versions of ssh-keygen generate a 3072-bit RSA key pair by default, which is secure enough for most use cases (you can optionally specify the -b 4096 option to generate a larger 4096-bit key).
After entering the command, you should see the following output:
Generating public/private rsa key pair.
Enter file in which to save the key (/home/your_username/.ssh/id_rsa):
Press Enter to save the key pair in the .ssh/ subdirectory in your home directory, or specify an alternate path.
If you have previously created an SSH key pair, you may see the following prompt:
/home/your_username/.ssh/id_rsa already exists.
Overwrite (y/n)?
If you choose to overwrite the key on disk, you will no longer be able to authenticate with the previous key. Be very careful when selecting “Yes”, as this is a destructive operation that cannot be undone.
You should then see the following prompt:
Enter passphrase (empty for no passphrase):
Here you can optionally enter a secure passphrase, which is highly recommended. A passphrase is a password that is requested when the key is used. It provides an additional layer of security.
You should then see output similar to the following:
Your identification has been saved in /home/your_username/.ssh/id_rsa
Your public key has been saved in /home/your_username/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:8STVn6r5nq+ABwWRlnsDaf0Ailrv4K6f5CTrEKREmyB username@hostname
The key's randomart image is:
+---[RSA 3072]----+
|+o. ++o |
|oA . +.. |
| o .+ |
|+ .. . |
|o .o.A. . |
| . o .Xo. o |
|o.=. o .= + |
|oO.+ . = o |
|*=*.o oo=o. |
+----[SHA256]-----+
You now have a public and a private key that you can use for authentication. The next step is to place the public key on your server so that you can log in using SSH key authentication.
Step 2 – Copy the public key to your Ubuntu server
The fastest way to copy your public key to an Ubuntu host is to use the ssh-copy-id utility. Due to its simplicity, this method is highly recommended, if available of course. If ssh-copy-id is not available to you on your client machine, you can use one of the two alternative methods described in this section (copying via password-based SSH or copying the key manually).
Copying the public key with ssh-copy-id
The ssh-copy-id tool is included by default in many operating systems, so it should be available on your local system. For this method to work, you must already have password-based SSH access to your server.
To use the tool, specify the remote host you want to connect to and the user account you have password-based SSH access to. This is the account to which your SSH public key will be copied.
For this we use the following command:
ssh-copy-id username@remote_host
The following message is output:
The authenticity of host '130.5.7.121 (130.5.7.121)' can't be established.
ECDSA key fingerprint is ea:ad:e4:A7:77:ff:13:24:e2:25:00:da:6e:d1:12:ae.
Are you sure you want to continue connecting (yes/no)? yes
This means that your local computer does not recognize the remote host. This is the case when you connect to a new host for the first time. Type “yes” and press ENTER to continue.
Next, the utility will search your local account for the id_rsa.pub key we created earlier. If it finds the key, you will be prompted to enter the password for the remote user’s account:
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
username@130.5.7.121's password:
Type the password (your input will not be displayed for security reasons) and press ENTER. The utility connects to the account on the remote host using the password you specified. It then copies the contents of your ~/.ssh/id_rsa.pub key to the authorized_keys file in the ~/.ssh home directory of the remote account.
You should see the following output:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'username@130.5.7.121'"
and check to make sure that only the key(s) you wanted were added.
Now your id_rsa.pub key has been uploaded to the remote account. You can now proceed to step 3.
Copying the public key with SSH
If the ssh-copy-id command is not available but you have password-based SSH access to an account on your server, you can upload your keys using a traditional SSH method.
To do this, we use the cat command to read the contents of the SSH public key on our local computer and forward it to the remote server via an SSH connection.
On the other hand, we can make sure that the ~/.ssh directory exists under the account we are using and has the correct permissions.
Then we can pipe the content we transferred to a file called authorized_keys inside that directory. We will use the >> redirect symbol to append the content instead of overwriting it. This way we can add keys without destroying previously added keys.
The complete command looks like this:
cat ~/.ssh/id_rsa.pub | ssh username@remote_host "mkdir -p ~/.ssh && touch ~/.ssh/authorized_keys && chmod -R go= ~/.ssh && cat >> ~/.ssh/authorized_keys"
The following issue follows:
The authenticity of host '130.5.7.121 (130.5.7.121)' can't be established.
ECDSA key fingerprint is ea:ad:e4:A7:77:ff:13:24:e2:25:00:da:6e:d1:12:ae.
Are you sure you want to continue connecting (yes/no)? yes
This means that your local computer does not recognize the remote host. This is the case when you connect to a new host for the first time. Type “yes” and press ENTER to continue.
You should then be prompted to enter the password for the remote user account:
username@130.5.7.121's password:
After you enter your password, the contents of your id_rsa.pub key are copied to the end of the authorized_keys file of the remote peer’s user account. If this was successful, proceed to step 3.
Manual copying of the public key
If you do not have password-based SSH access to your server, you will need to perform the above process manually.
We manually append the contents of your id_rsa.pub file to the ~/.ssh/authorized_keys file on your remote machine.
To view the contents of your id_rsa.pub key, type the following on your local computer:
cat ~/.ssh/id_rsa.pub
You will see the contents of the key, which should look something like this:
ssh-rsa AAAAB4NzaC2yc2EAAAADAQABAAABgQC0YsVakZH8GBkHFBYmg8eeJX5LrFH7y8PHmLJDMGYvdnKSoASzo5zKKgzTVveEe82wv8N6IY3eT3fZHyYEUboUh8fhcU/zYZ9FinLBgOCsJS8oektjbN7O46tA0/nHnq0e1vUYu0fm68HF/mIci9QXNOXWuogX0CRsd9mb3yan1PujQye5sMwV2oEUg5vl3MPSkmYZfN86B/8zALKcyKTTXDkpxyaWPu/XOeUf2RqDWL2cwFzgsAJ3xm3DjREC3HuqclgHTipNmMDkLaY9/WJzTcGIV3VHJbA0pEnZhWWOZgQGyCqA213gSbJBz9M+ho5RBVroENM4Cjb9z/94Oqx9OPBY4QWKxxYa9grZjKVS8PqiFAUjbaqcSnu6jsl01JW90AmmKiPIqYC5jk8ekye+F7e+Ikak/c2bADlpn2lJKntEqHZYfVbArV8HAkIQAcZNITSAw6oL3LLtGX7FxWhBotDU8+/CSwlK+EaupoTymPNhDdo0NhFmLHWhAxthJat= demo@host
Now access your remote host using the method available to you.
Once you have access to your account on the remote server, you should make sure that the ~/.ssh directory exists. This command creates the directory if necessary, or does nothing if it already exists:
mkdir -p ~/.ssh
Now you can create or modify the authorized_keys file in this directory. This command allows you to append the contents of your id_rsa.pub file to the end of the authorized_keys file and create it if necessary:
echo public-key >> ~/.ssh/authorized_keys
Replace public-key in the above command with the output of the cat ~/.ssh/id_rsa.pub command you ran on your local system. It should start with ssh-rsa AAAA…..
Finally, we make sure that the ~/.ssh directory and the authorized_keys file have the appropriate permissions:
chmod -R go= ~/.ssh
This will recursively remove all “Group” and “Other” permissions for the ~/.ssh/ directory.
If you use the root account to set up keys for a user account, it is also important that the ~/.ssh directory is owned by the user and not root:
chown -R username:username ~/.ssh
In this example, our user is called username. You should replace the corresponding user name in the above command.
We can now try passwordless authentication with our Ubuntu server.
Step 3 – Authenticate with your Ubuntu server using SSH keys
If you successfully complete one of the methods, you should be able to log in to the remote host without providing the remote account password.
The basic process is the same:
ssh username@remote_host
The first time you connect to this host (for example, if you used the last method above), you may see something like the following:
The authenticity of host '130.5.7.121 (130.5.7.121)' can't be established.
ECDSA key fingerprint is ea:ad:e4:A7:77:ff:13:24:e2:25:00:da:6e:d1:12:ae.
Are you sure you want to continue connecting (yes/no)? yes
This means that your local computer does not recognize the remote host. Type “yes” and press ENTER to continue.
If you have not specified a passphrase for your private key, you will be logged in immediately. If you specified a passphrase for the private key when you created the key, you will now be prompted to enter it (note that your keystrokes will not be displayed in the terminal session for security reasons). After authentication, a new shell session should open for you with the configured account on the Ubuntu server.
If key-based authentication was successful, continue to learn how to further secure your system by disabling password authentication.
Step 4 – Disable password authentication on your server
If you were able to log in to your account using SSH without a password, you have successfully configured SSH key-based authentication for your account. However, your password-based authentication mechanism is still active, which means that your server is still vulnerable to brute force attacks.
Before you perform the steps in this section, make sure that you have either configured SSH key-based authentication for the root account on this server or, preferably, that you have configured SSH key-based authentication for a non-root account on this server with sudo privileges. This step locks password-based logins, so it’s important to make sure that you can still gain administrative access.
Once you have verified that your remote account has administrative privileges, log in to your remote server with SSH keys, either as root or with an account that has sudo privileges. Then open the configuration file of the SSH service:
sudo nano /etc/ssh/sshd_config
Look in the file for a directive called PasswordAuthentication. This line may be commented out with a # at the beginning of the line. Uncomment the line by removing the # and set the value to no. This disables the ability to log in over SSH with account passwords:
. . .
PasswordAuthentication no
. . .
Save and close the file when you are done by pressing CTRL+X, then Y to confirm saving the file, and finally ENTER to exit nano. To actually enable these changes, we need to restart the sshd service:
sudo systemctl restart ssh
As a precaution, open a new terminal window and test if the SSH service is working correctly before closing your current session:
ssh username@remote_host
Once you have verified that your SSH service is working properly, you can safely close all running server sessions.
The SSH service on your Ubuntu server now responds only to authentication with SSH keys. Password-based logins have been disabled.
Conclusion
You should now have SSH key-based authentication configured on your server so that you can log in without providing an account password.