Set Up SSH Keys on Ubuntu 20.04
Secure Shell (SSH) is a network protocol that creates a secure connection between a client and a server. Using SSH, you can safely log in to a server with private and public key-based authentication.
We cover how to set up SSH keys on Ubuntu 20.04.
Steps to Set Up SSH Keys on Ubuntu 20.04
1. Create the Key Pair
We first create a key pair on the client machine, which is usually a computer. Use the following command -
ssh-keygen
The recent versions of ssh-keygen will create a 3072-bit
RSA key pair.
You can also pass in the -b 4096
flag to create a larger 4096-bit
key.
You can see the following output after adding the command:
Output
Generating public/private rsa key pair.
Enter file in which to save the key (/your_home/.ssh/id_rsa):
To save the key pair into the .ssh/
subdirectory in your home directory, press enter. You can also specify an alternate path.
If you have previously generated an SSH key pair, you may see the following prompt:
Output
/home/your_home/.ssh/id_rsa already exists.
Overwrite (y/n)?
You will not be able to authenticate using the previous key if you overwrite the key on the disk. Be cautious about selecting yes, as the changes cannot be reversed.
The following prompt will be displayed:
Output
Enter passphrase (empty for no passphrase):
You can enter an optional secure passphrase, which is recommended. It prevents unauthorized users from logging in and adds another layer of security.
The output is shown below -
Your identification has been saved in /your_home/.ssh/id_rsa
Your public key has been saved in /your_home/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:/hk7MJ5n5aiqdfTVUZr+2Qt+qCiS7BIm5Iv0dxrc3ks user@host
The key's randomart image is:
+---[RSA 3072]----+
| .|
| + |
| + |
| . o . |
|o S . o |
| + o. .oo. .. .o|
|o = oooooEo+ ...o|
|.. o *o+=.*+o....|
| =+=ooB=o.... |
+----[SHA256]-----+
You can now use the public and private key to authenticate. Add the private key on your server for SSH-key-based authentication to log in, as shown in the next steps.
2. Copy the Public Key to the Ubuntu Server
We will copy the public key to the Ubuntu host using a utility called ssh-copy-id
.
If you do not have ssh-copy-id
on the client machine, use the alternate methods shown below-
- Copy via password-based SSH
- Manually copy the key
ssh-copy-id
Copying the Public Key Using The ssh-copy-id
tool is added in many operating systems by default. You should already have password-based SSH access to your server.
To use the utility, specify the remote host you want to connect to. Also, specify the user account that you have password-based SSH access to. It is the account on which your public SSH key will be copied.
The syntax is shown below -
ssh-copy-id username@remote_host
You will see the following output:
Output
The authenticity of host '203.0.113.1 (203.0.113.1)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes
It shows that your local computer does not recognize the remote host. As it is the first time you connect to a new host. Type in yes
and then press ENTER
to continue.
The utility will scan the local account for the id_rsa.pub
key created earlier. When it finds the key, you will get a prompt for the password of the remote user’s account:
Output
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
username@203.0.113.1's password:
Type in the password and press ENTER
. The utility will connect to the account on the remote host using the password. It will then copy the contents of the ~/.ssh/id_rsa.pub
key into a file. It will be located in the remote account’s home ~/.ssh
directory called authorized_keys.
The following message will be displayed:
Output
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'username@203.0.113.1'"
and check to ensure that only the key(s) you wanted were added.
Now the id_rsa.pub
key has been uploaded to the remote account. You can move on to the next steps.
Copy the Public Key Using SSH
If you have password-based SSH access to an account on your server, upload your keys with the SSH method.
Use the cat
command to read the contents of the public SSH key on our local computer. You can then pipe it through an SSH connection to the remote server.
Ensure that the ~/.ssh
directory exists on the other side and has the correct account permissions.
Output the content into a file called authorized_keys
within this directory. You can use the >> redirect symbol to append the content instead of overwriting it. It allows you to add keys without removing the previously added keys.
The full command is shown below:
cat ~/.ssh/id_rsa.pub | ssh username@remote_host "mkdir -p ~/.ssh && touch ~/.ssh/authorized_keys && chmod -R go= ~/.ssh && cat >> ~/.ssh/authorized_keys"
You may see the following output:
Output
The authenticity of host '203.0.113.1 (203.0.113.1)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes
The local computer does not recognize the remote host. It will happen the first time you connect to a new host. Type yes
and press ENTER
to continue.
You will be prompted to enter the remote user account password:
Output
username@203.0.113.1's password:
After adding your password, the content of the id_rsa.pub
key will be copied to the end of the authorized_keys
file. You can move to the next step if you have done it correctly.
Manually Copy the Public Key
If you do not have password-based SSH access to your server, you can complete the process manually.
Append the content of your id_rsa.pub
file to the ~/.ssh/authorized_keys
file on your remote machine.
To display the content of the id_rsa.pub
key, enter the following into your local computer -
cat ~/.ssh/id_rsa.pub
The key’s content will be displayed like this -
Output
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqql6MzstZYh1TmWWv11q5O3pISj2ZFl9HgH1JLknLLx44+tXfJ7mIrKNxOOwxIxvcBF8PXSYvobFYEZjGIVCEAjrUzLiIxbyCoxVyle7Q+bqgZ8SeeM8wzytsY+dVGcBxF6N4JS+zVk5eMcV385gG3Y6ON3EG112n6d+SMXY0OEBIcO6x+PnUSGHrSgpBgX7Ks1r7xqFa7heJLLt2wWwkARptX7udSq05paBhcpB0pHtA1Rfz3K2B+ZVIpSDfki9UVKzT8JUmwW6NNzSgxUfQHGwnW7kj4jp4AT0VZk3ADw497M2G/12N0PPB5CnhHf7ovgy6nL1ikrygTKRFmNZISvAcywB9GVqNAVE+ZHDSCuURNsAInVzgYo9xgJDW8wUw2o8U77+xiFxgI5QSZX3Iq7YLMgeksaO4rBJEa54k8m5wEiEE1nUhLuJ0X/vh2xPff6SQ1BL/zkOhvJCACK6Vb15mDOeCSq54Cr7kvS46itMosi/uS66+PujOO+xt/2FWYepz6ZlN70bRly57Q06J+ZJoc9FfBCbCyYH7U/ASsmY095ywPsBo1XQ9PqhnN1/YOorJ068foQDNVpm146mUpILVxmq41Cj55YKHEazXGsdBIbXWhcrRf4G2fJLRcGUr9q8/lERo9oxRm5JFX6TCmj6kmiFqv+Ow9gI0x8GvaQ== demo@test
Ensure that the ~/.ssh
directory exists once you have access to your account on the remote server.
The following command will create the directory if required. Or it may do nothing if it already exists:
mkdir -p ~/.ssh
Create or modify the authorized_keys
file within this directory. Enter the contents of the id_rsa.pub
file at the end of the authorized_keys
file. Use the following command:
echo public_key_string >> ~/.ssh/authorized_keys
In the command shown above, add the public_key_string
with the output from the cat ~/.ssh/id_rsa.pub
command executed on your local system. It starts with ssh-rsa AAAA....
Ensure that the ~/.ssh
directory and authorized_keys
file have the right permissions:
chmod -R go= ~/.ssh
The command removes all “group” and “other” permissions for the ~/.ssh/
directory.
Using the root account to set up keys, it’s also important that the ~/.ssh
directory belongs to the user and not to root:
chown -R sammy:sammy ~/.ssh
Add the appropriate username in the above command. You can now execute passwordless authentication with the Ubuntu server.
3. Authenticating to the Ubuntu Server Using SSH Keys
After completing the steps above, you can log into the remote host without the remote account’s password.
Enter the following command -
ssh username@remote_host
You may see the following output -
Output
The authenticity of host '203.0.113.1 (203.0.113.1)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes
It shows the local computer does not recognize the remote host. Type in yes
and then press ENTER
to continue.
If you did not add a passphrase for the private key, you are logged in immediately. Otherwise, you will be prompted to enter the passphrase that you had previously created. After authenticating, a new shell session will open with the configured account on the Ubuntu server.
After the key-based authentication, you can secure the system by disabling the password authentication.
4. Disable Password Authentication
The password-based authentication is still active, and the server may be at risk of brute force attacks. Ensure that you have SSH-key-based authentication configured for a non-root account on the server with sudo privileges.
The step will lock down the password-based logins, so it is essential to have administrative access.
If you have administrative privileges, log in to the remote server with SSH keys. You can do it as root or with an account with sudo privileges.
Open the SSH daemon’s configuration file -
sudo nano /etc/ssh/sshd_config
Look for a directive called PasswordAuthentication
. It is commented with a #
at the beginning of the line. Now uncomment the line by removing the #
, and set the value to no. It will disable the ability to log in via SSH using account passwords:
/etc/ssh/sshd_config
. . .
PasswordAuthentication no
. . .
Save and close the file by pressing CTRL+X
. Press Y
to confirm saving the file, and then press ENTER
to exit nano. Restart the sshd service to activate the changes:
sudo systemctl restart ssh
Open a new terminal window and test that the SSH service is working well before closing the current session:
ssh username@remote_host
After confirming that the SSH service is working, you can close all current server sessions. The SSH daemon on the Ubuntu server now responds to SSH-key-based authentication, and the password-based logins have been disabled successfully.
Summary
SSH connection ensures that the command typed in the terminal is sent to the remote server via an encrypted channel. With SSH, you can run commands on remote machines, create tunnels, forward ports, etc. It supports authentication mechanisms such as password and public-key-based.
We looked at how to add SSH keys on Ubuntu 20.04. If you’d like to learn more about working with SSH, check out CloudPanel tutorials.