This tutorial describes the process of setting up SSH Keys for use when logging in to a remote server via SSH.
SSH, OpenSSH, or a compatible SSH server are required for this tutorial. Windows users will want to download PuTTY to use SSH sessions inside of the Windows OS.
Please note that this guide will show you how to set up SSH keys in just one particular way. There are several options that can be changed. Depending on how you use SSH you may or may not choose to take advantage of these options. For more information, search Google for “SSH Keys” and you will find many guides describing many methods.
This tutorial assumes that you already have a .ssh directory in your user directory (example: /home/myuser/.ssh/) If you do not have a .ssh directory you will need to use normal user/password authentication (example: ssh user@server.domainname.com) to connect to a server for the first time. This will create a .ssh directory with the correct permissions.
Step 1: Creating Your Personal Key
Open a terminal/shell and run the following command:
ssh-keygen -t rsa
You will be asked where you would like to save the key. The default setting is normally acceptable (just press enter to accept the default), but if you are setting up a key as a root user you may want to store your key in a different location.
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
You will be prompted to enter a passphrase. If you choose to use a passphrase you will need to type it in every time you use the key to connect to a server (spaces are ok to use, so your passphrase can be an entire sentence if it makes it easier for you to use it). You can choose not to use a passphrase but this is generally considered less secure.
Example: You have a laptop and are creating a SSH key to connect to your server. If you create the key without a passphrase, and your laptop is stolen, the thief could connect to your server without needing anything else. If your key has a passphrase nobody can use your key without knowing the passphrase. If you are comfortable with a little more risk then you may choose to create your key without a passphrase.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.
The key fingerprint is:
bf:7b:63:a8:91:29:76:2b:03:ac:21:8c:91:4a:fa:11 username@server.domain.com
Note that you can change your passphrase at any time using the command:
sshkeygen -p
Step 2: Copying Your Personal Key To The Server
Before we copy your new public key to your server we will add it to the local authorized_keys file.
cd ~/.ssh
cp id_rsa.pub authorized_keys
If the authorized_keys file already exists on your local machine you will need to open the file with your favorite text editor and add the key by hand.
Now we will copy your public key to the server. In a typical server every user on the server has their own .ssh directory and their own authorized_keys file. Assuming that your user accounts are located in /home you will need to determine what user you want to login as before you copy your public key. The root user is slightly different. In most servers the root user’s ssh files are stored in /root/.ssh/.
For example, say I have created a key for my local user on my laptop, but I want to use that key to connect as root using SSH. I would have to copy my new public key to the root user’s ssh directory on the server.
cd ~/.ssh
scp authorized_keys root@host.servername.com:/root/.ssh/
Just like with your local copy, if the authorized_keys file already exists on the server you will need to add the new key to the file by hand.
Step 3: Logging In With Your New Key
Now that your new key has been copied to the server you can start using it for SSH logins. If your user name is the same on your local machine and on your server, you can connect simply with:
ssh host.servername.com
If your local user name and server user name are different, you can specify the user to login as using the command:
ssh user@host.servername.com
In the previous example I copied my key so that I could log in to my server as root. Now that the key is in place on the server, running the command ssh root@host.servername.com will result in different behavior. If you chose to use a passphrase with your key you will be asked for your passphrase and then you will be logged in to the server. If you did not use a passphrase you will immediately be logged in to the server after you enter the ssh command.
Congratulations! You have successfully set up a SSH key.
Step 4: More Advanced Configurations
Passphrase-less Logins While Still Having a Passphrase
Earlier in this article we covered passphrases and some of the advantages and disadvantages to using them in your key. It is possible to use your key in such a way that you are not prompted to type it in your passphrase every time you connect to a remote server.
Your key can be loaded into the memory of your local computer, so you will only have to type in your passphrase one time and every subsequent ssh session will automatically attempt to login.
On your local computer terminal/shell, type in the command ssh-add. You will be prompted for your passphrase and after that you should receive a confirmation that the identity has been added.
Now you can use your key several times without having to type in your passphrase every time.
Specifying User Names for Hosts
In your .ssh directory on your local computer you can specify what user name you want to use with different servers by creating a config file.
Here is an example of a typical config file entry for specifying a user name:
Host *domain.com
User root
This entry would cause ssh to always use the user root when connecting to the domain.com server, or any subdomain of domain.com.
