Set Up SSH Keys on Ubuntu 20.04

Set Up SSH Keys on Ubuntu 20.04

Secure Shell (SSH) is a network protocol that creates a secure connection between a client and a server. Using SSH, you can safely log in to a server with private and public key-based authentication.

We cover how to set up SSH keys on Ubuntu 20.04.

Steps to Creating SSH Keys on Ubuntu 20.04

1. Create the Key Pair

To create a new SSH key on Linux, run the following command on the client machine: ssh-keygen. This will generate a key pair that consists of a public and a private key. Use the following command -

ssh-keygen

To create an SSH key on Linux, use ssh-keygen. This will generate an RSA key pair that is 3072-bit long by default. You can also pass in the -b 4096 flag to create a larger 4096-bit key.

You can see the following output after adding the command:

Output
Generating public/private rsa key pair.
Enter file in which to save the key (/your_home/.ssh/id_rsa):

To save the key pair into the .ssh/ subdirectory in your home directory, press enter. You can also specify an alternate path.

SSH public key authentication is a secure way to log in to a remote server using an existing key pair. If you have generated an SSH key pair before, you may see the following prompt:

Output
/home/your_home/.ssh/id_rsa already exists.
Overwrite (y/n)?

You will not be able to authenticate using the previous key if you overwrite the key on the disk. Be cautious about selecting yes, as the changes cannot be reversed.

The following prompt will be displayed:

Output
Enter passphrase (empty for no passphrase):

You can enter an optional secure passphrase, which is recommended. It prevents unauthorized users from logging in and adds another layer of security.

The output is shown below -

Your identification has been saved in /your_home/.ssh/id_rsa
Your public key has been saved in /your_home/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:/hk7MJ5n5aiqdfTVUZr+2Qt+qCiS7BIm5Iv0dxrc3ks user@host
The key's randomart image is:
+---[RSA 3072]----+
|                .|
|               + |
|              +  |
| .           o . |
|o       S   . o  |
| + o. .oo. ..  .o|
|o = oooooEo+ ...o|
|.. o *o+=.*+o....|
|    =+=ooB=o.... |
+----[SHA256]-----+

Public key authentication is a secure method of logging in to a remote server using an SSH key pair. You can use the public key on the server to authenticate with the private key on the client machine. Add the private key on your server for SSH-key-based authentication to log in, as shown in the next steps.

2. Copy the Public Key to the Ubuntu Server

We will copy the public key to the Ubuntu host using a utility called ssh-copy-id.

If you do not have ssh-copy-id on the client machine, use the alternate methods shown below-

  • Copy via password-based SSH
  • Manually copy the key

Copying the Public Key Using ssh-copy-id

The ssh-copy-id tool is added in many operating systems by default. You should already have password-based SSH access to your server.

To use the utility, specify the remote host you want to connect to. Also, specify the user account that you have password-based SSH access to. It is the account on which your public SSH key will be copied.

The syntax is shown below -

ssh-copy-id username@remote_host

You will see the following output:

Output
The authenticity of host '203.0.113.1 (203.0.113.1)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes

It shows that your local computer does not recognize the remote host. As it is the first time you connect to a new host. Type in yes and then press ENTER to continue.

The utility will scan the local account for the id_rsa.pub key created earlier. When it finds the key, you will get a prompt for the password of the remote user’s account:

Output
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
username@203.0.113.1's password:

Type in the password and press ENTER. The utility will connect to the account on the remote host using the password. It will then copy the contents of the ~/.ssh/id_rsa.pub key into a file. It will be located in the remote account’s home ~/.ssh directory called authorized_keys.

The following message will be displayed:

Output
Number of key(s) added: 1
Now try logging into the machine, with:   "ssh 'username@203.0.113.1'"
and check to ensure that only the key(s) you wanted were added.

Now the id_rsa.pub key has been uploaded to the remote account. You can move on to the next steps.

Copy the Public Key Using SSH

If you have password-based SSH access to an account on your server, upload your keys with the SSH method.

Use the cat command to read the contents of the public SSH key on our local computer. You can then pipe it through an SSH connection to the remote server. Ensure that the ~/.ssh directory exists on the other side and has the correct account permissions.

Output the content into a file called authorized_keys within this directory. You can use the >> redirect symbol to append the content instead of overwriting it. It allows you to add keys without removing the previously added keys.

The full command is shown below:

cat ~/.ssh/id_rsa.pub | ssh username@remote_host "mkdir -p ~/.ssh && touch ~/.ssh/authorized_keys && chmod -R go= ~/.ssh && cat >> ~/.ssh/authorized_keys"

You may see the following output:

Output
The authenticity of host '203.0.113.1 (203.0.113.1)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes

The local computer does not recognize the remote host. It will happen the first time you connect to a new host. Type yes and press ENTER to continue.

You will be prompted to enter the remote user account password:

Output
username@203.0.113.1's password:

After adding your password, the content of the id_rsa.pub key will be copied to the end of the authorized_keys file. You can move to the next step if you have done it correctly.

Manually Copy the Public Key

If you do not have password-based SSH access to your server, you can complete the process manually.

Append the content of your id_rsa.pub file to the ~/.ssh/authorized_keys file on your remote machine.

To display the content of the id_rsa.pub key, enter the following into your local computer -

cat ~/.ssh/id_rsa.pub

The key’s content will be displayed like this -

Output
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqql6MzstZYh1TmWWv11q5O3pISj2ZFl9HgH1JLknLLx44+tXfJ7mIrKNxOOwxIxvcBF8PXSYvobFYEZjGIVCEAjrUzLiIxbyCoxVyle7Q+bqgZ8SeeM8wzytsY+dVGcBxF6N4JS+zVk5eMcV385gG3Y6ON3EG112n6d+SMXY0OEBIcO6x+PnUSGHrSgpBgX7Ks1r7xqFa7heJLLt2wWwkARptX7udSq05paBhcpB0pHtA1Rfz3K2B+ZVIpSDfki9UVKzT8JUmwW6NNzSgxUfQHGwnW7kj4jp4AT0VZk3ADw497M2G/12N0PPB5CnhHf7ovgy6nL1ikrygTKRFmNZISvAcywB9GVqNAVE+ZHDSCuURNsAInVzgYo9xgJDW8wUw2o8U77+xiFxgI5QSZX3Iq7YLMgeksaO4rBJEa54k8m5wEiEE1nUhLuJ0X/vh2xPff6SQ1BL/zkOhvJCACK6Vb15mDOeCSq54Cr7kvS46itMosi/uS66+PujOO+xt/2FWYepz6ZlN70bRly57Q06J+ZJoc9FfBCbCyYH7U/ASsmY095ywPsBo1XQ9PqhnN1/YOorJ068foQDNVpm146mUpILVxmq41Cj55YKHEazXGsdBIbXWhcrRf4G2fJLRcGUr9q8/lERo9oxRm5JFX6TCmj6kmiFqv+Ow9gI0x8GvaQ== demo@test

Ensure that the ~/.ssh directory exists once you have access to your account on the remote server.

The following command will create the directory if required. Or it may do nothing if it already exists:

mkdir -p ~/.ssh

Create or modify the authorized_keys file within this directory. Enter the contents of the id_rsa.pub file at the end of the authorized_keys file. Use the following command:

echo public_key_string >> ~/.ssh/authorized_keys

In the command shown above, add the public_key_string with the output from the cat ~/.ssh/id_rsa.pub command executed on your local system. It starts with ssh-rsa AAAA....

Ensure that the ~/.ssh directory and authorized_keys file have the right permissions:

chmod -R go= ~/.ssh

The command removes all “group” and “other” permissions for the ~/.ssh/ directory.

Using the root account to set up keys, it’s also important that the ~/.ssh directory belongs to the user and not to root:

chown -R sammy:sammy ~/.ssh

Add the appropriate username in the above command. You can now execute passwordless authentication with the Ubuntu server.

3. Authenticating to the Ubuntu Server Using SSH Keys

To enable SSH on Ubuntu, use the following command: sudo systemctl enable ssh. This will ensure that the SSH daemon is started automatically when the system boots up.

Enter the following command -

ssh username@remote_host

You may see the following output -

Output
The authenticity of host '203.0.113.1 (203.0.113.1)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes

It shows the local computer does not recognize the remote host. Type in yes and then press ENTER to continue.

If you did not add a passphrase for the private key, you are logged in immediately. Otherwise, you will be prompted to enter the passphrase that you had previously created. After authenticating, a new shell session will open with the configured account on the Ubuntu server.

After the key-based authentication, you can secure the system by disabling the password authentication.

4. Disable Password Authentication

The password-based authentication is still active, and the server may be at risk of brute force attacks. Ensure that you have SSH-key-based authentication configured for a non-root account on the server with sudo privileges.

The step will lock down the password-based logins, so it is essential to have administrative access.

If you have administrative privileges, log in to the remote server with SSH keys. You can do it as root or with an account with sudo privileges.

Open the SSH daemon’s configuration file -

sudo nano /etc/ssh/sshd_config

Look for a directive called PasswordAuthentication. It is commented with a # at the beginning of the line. Now uncomment the line by removing the #, and set the value to no. It will disable the ability to log in via SSH using account passwords:

/etc/ssh/sshd_config
. . .
PasswordAuthentication no
. . .

Save and close the file by pressing CTRL+X. Press Y to confirm saving the file, and then press ENTER to exit nano. Restart the sshd service to activate the changes:

sudo systemctl restart ssh

Open a new terminal window and test that the SSH service is working well before closing the current session:

ssh username@remote_host

After confirming that the SSH service is working, you can close all current server sessions. The SSH daemon on the Ubuntu server now responds to SSH-key-based authentication, and the password-based logins have been disabled successfully.

Understanding SSH Keys: Setting Up, Adding, and Using Public and Private Keys

What is Secure Shell (SSH)?

Secure Shell (SSH) is a widely used network protocol for establishing secure shell access between computers.

Why is setting up an SSH key important?

Setting up an SSH key is crucial for establishing a secure connection between a client and a server.

How can I set up an SSH server on Ubuntu?

To set up an SSH server on Ubuntu, users must install the SSH server software by running the command "sudo apt install openssh-server." After installation, authorized SSH keys can be added by copying the public key file to the user's home directory ".ssh/authorized_keys" file.

How do I add an SSH key to Bitbucket on Ubuntu?

To add an SSH key to Bitbucket on Ubuntu, users must generate a public and private key pair and add the public key file to their account settings.

How can I enable SSH key login?

To enable SSH key login, users need to ensure that the "PubkeyAuthentication" option is set to "yes" in the SSH server's configuration file. This file can typically be found at "/etc/ssh/sshd_config."

How can I use SSH keys?

To use SSH keys, users must install an SSH client on their local machine with the command "sudo apt install openssh-client." Once installed, the SSH agent can be used to manage SSH keys and provide secure shell access to remote servers.

What are the default public and private key file names?

By default, the public key file is named "id_rsa.pub," and the private key file is named "id_rsa." These files are typically stored in the user's home directory ".ssh" folder.

Summary

An SSH key is a secure and efficient way to authenticate and connect to a remote server, such as during an ubuntu server ssh setup. It ensures that commands typed in the terminal are sent securely via an encrypted channel. With SSH, you can run commands on remote machines, create tunnels, forward ports, etc. It supports authentication mechanisms such as password and public-key-based.

We looked at how to add SSH keys on Ubuntu 20.04, which involves steps like allowing SSH access (ubuntu allow ssh) and configuring the settings (ubuntu config ssh). To get your SSH key in Linux, you can use the command get my ssh key linux. If you encounter any issues related to host bits being set in Ubuntu (has host bits set ubuntu), it's essential to address them for a successful connection.

To generate an SSH key pair (how to gen ssh key), you can use tools like ssh-keygen. This process will also show you how to make a public key for authentication purposes. Once you've created your keys, setting up ssh key authentication becomes straightforward.

If you'd like to learn more about working with SSH and other related topics such as ubuntu server management or security configurations, check out CloudPanel tutorials. These resources provide valuable information on various aspects of managing servers and ensuring optimal performance while maintaining security best practices.

Nikita S.
Nikita S.
Technical Writer

As a professional content writer, Nikita S. is experienced in crafting well-researched articles that simplify complex information and promote technical communication. She is enthusiastic about cloud computing and holds a specialization in digital marketing.


Deploy CloudPanel For Free! Get Started For Free!