Would you like to learn to set up SSH keys on a Linux server or to use public key authentication? We have created this step-by-step guide about how to set up SSH keys on a Linux server to improve security when establishing a remote connection.
There are diverse alternatives to establish a remote and secure connection to a server depending on the operating system you use. As for Linux, the most commonly used protocol is SSH. That is why, in this article, we want to focus on the set up of SSH keys to further improve security when connecting to servers. Let’s start by briefly defining SSH.
The SSH protocol provides a secure method to access a private resource, using an username and password, from a remote location. However, there is a problem with this system: any attacker could get the password, threatening the information stored inside. That is why it is important to use an additional authentication system: SSH keys. These keys, as opposed to passwords, are almost impossible to break.
What is public key authentication?
Public key authentication is an alternative security mechanism to passwords, much harder to hack and, as a consequence, more secure. This authentication method is recommended to access both cloud and bare-metal servers.
What are SSH keys?
SSH keys consist in the generation of a key pair providing a public and a private long string of characters. The public key can be installed in any server and it is unlocked via a SSH client connection using the private key. If both keys match, the SSH server gives access to the server without the need of using a password. Nevertheless, to add an extra security layer, you can always increase the private key security level by using a password.
In this article we are going to explain how to set up SSH authentication with ed25519 keys and RSA keys. Let’s briefly define both cryptosystems.
What is ed25519?
In public-key cryptography, the Edwards-curve Digital Signature Algorithm or ed25519 is a digital signature scheme using a variant of the Schnorr signature based on Edwards curves. It is designed to be faster than existing digital signature schemes, without giving up security. The Edwards-curve Digital Signature Algorithm is also known as edDSA.
What is RSA?
In public-key cryptography, the RSA cryptosystem is the most commonly used algorithm based on the factoring of prime numbers, both for encoding and digital signaturing. RSA is the acronym for “Rivest, Shamir and Adleman”, the surnames of the algorithm’s creators — Ron Rivest, Adi Shamir and Leonard Adleman.
Setting up ed25519 keys authentication step by step
Now we are going to explain how to create SSH keys to access Linux virtual or bare-metal servers securely using an ed25519 key pair.
1º.- Create an ed25519 key pair
The first step is to create an ed25519 key pair in the client machine, which would generally be the computer you normally use. To do so, execute the following command in the console:
$ ssh-keygen -t ed25519
After executing this command, you should get the following output indicating that the public-private key pair creation is in progress:
Generating public/private ed25519 key pair.
2º.- Save the key
Once you have executed the command to create the keys, you will be asked to enter the path where you want to save the key:
Enter file in which to save the key (/home/demo/.ssh/id_ed25519):
Note: If you do not write anything and press “Enter”, the key will be saved in the path inside the parentheses.
3º.- Generate a password for the private key
After indicating the path where the key will be saved, the next step is to enter a password:
Enter passphrase (empty for no passphrase):
This step is optional. Therefore, if you do not wish to use a password, you can skip it (as indicated inside the parentheses in the console) by pressing “Enter”. However, it is recommended to create a password for the private key in order to add an extra security layer. This way, even though a cybercriminal got the key, he could not use it without decoding the password. Of course, it is always recommended to create secure passwords.
Once this step is completed, if everything has been done correctly, you should see the following output:
$ ssh-keygen -t ed25519 Generating public/private rsa key pair. Enter file in which to save the key (/home/demo/.ssh/id_ed25519): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/demo/.ssh/id_ed25519 Your public key has been saved in /home/demo/.ssh/id_ed25519.pub The key fingerprint is: SHA256:EGx5HEXz7EqKigIxHHWKpCZItSj1Dy9Dqc5cYae+1zc demo@xyz.local The key's randomart image is: +--[ED25519 256]--+ | o+o o.o.++ | |=oo.+.+.o + | |*+.oB.o. o | |*. + B . . | | o. = o S . . | |.+ o o . o . | |. + . ... . | |. . o. . E | | .. o. . . | +----[SHA256]-----+
- The public key will be saved in: /home/demo/.ssh/id_ed25519.pub.
- The private key will be saved in: /home/demo/.ssh/id_ed25519.
4º.- Copy the public key
After having generated the keys, it is time to place the public key in the virtual server where you wish to use it. You can copy the public key inside the “autorized_keys” file in the virtual server using the command “ssh-copy-id”. You need to indicate the machine’s IP address to correctly copy the public key, using the following command:
ssh-copy-id user@123.45.67.89
Once this step is completed, access the Linux server to check that everything has been set up correctly. When accessing the server, if you have generated a password for the private key, the SSH client will request you to enter it. If you have not done so, you will be able to access the server without entering a password; just using the SSH key pair.
5º.- Disable SSH logins for the root account
This last step is optional and is intended to further improve security. Once you have copied the SSH keys into the server and you have checked you can access it, you can disable SSH logins for the root account via SSH. This way the server can only be accessed using the SSH keys you have generated. To do so you have to open SSH’s configuration file:
$ sudo nano /etc/ssh/sshd_config
Within this file you will need to find the line "PasswordAuthentication" and modify it to make sure access is only allowed using the SSH keys:
PasswordAuthentication no
Note: If the line "PasswordAuthentication” does not exist, you have to write it yourself.
Finally, save and reload SSH to implement the changes:
$ sudo systemctl reload sshd
Once all these steps have been completed, your virtual machine will be more secure and you will only be able to access it using the SSH keys you have generated. Moreover, for further security, before closing the SSH session, you should check the connection from a different terminal window to verify it works correctly.
Setting up RSA keys authentication step by step
For older systems which do not support ed25519 keys, we are now going to explain how to create SSH keys using a RSA key pair, in order to access Linux virtual or bare-metal servers securely.
1º.- Create a RSA key pair
The first step is to create a RSA key pair in the client machine, which would generally be the computer you normally use. To do so, execute the following command in the console:
$ ssh-keygen -t rsa
2º.- Save the key
Once you have executed the command to create the keys, you will be asked to enter the path where you want to save the key:
Enter file in which to save the key (/home/demo/.ssh/id_rsa):
Note: If you do not write anything and press “Enter”, the key will be saved in the path inside the parentheses.
3º.- Generate a password for the private key
Once you have specified the path where the key will be saved, the next step is to enter a password:
Enter passphrase (empty for no passphrase):
If you do not want to use a password, you can skip this step (as indicated inside the parentheses in the console) by pressing “Enter”. However, it is recommended to use a password in order to add an extra security layer. This way, even though a cybercriminal got the key, he could not use it without decoding the password. The only disadvantage of creating a password is that you will need to write it every time you use the keys. Of course, it is always recommended to create secure passwords.
Once this step is completed, if everything has been done correctly, you should see the following output:
ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/demo/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/demo/.ssh/id_rsa. Your public key has been saved in /home/demo/.ssh/id_rsa.pub. The key fingerprint is: 4a:dd:0a:c6:35:4e:3f:ed:27:38:8c:74:44:4d:93:67 demo@xyz.local The key's randomart image is: +--[ RSA 2048]----+ | .oo. | | . o.E | | + . o | | . = = . | | = S = . | | o + = + | | . o + o . | | . o | | | +-----------------+
- The public key will be saved in: /home/demo/.ssh/id_rsa.pub.
- The private key will be saved in: /home/demo/.ssh/id_rsa.
4º.- Copy the public key
After having generated the keys, it is time to place the public key in the virtual server where you wish to use it. You can copy the public key inside the “autorized_keys” file in the virtual server using the command “ssh-copy-id”. You need to indicate the machine’s IP address to correctly copy the public key, using the following command:
ssh-copy-id user@123.45.67.89
Another alternative is pasting the key using SSH:
cat ~/.ssh/id_rsa.pub | ssh user@123.45.67.89 "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
Regardless of the command you use, you should get an output similar to this one:
The authenticity of host '12.34.56.78 (12.34.56.78)' can't be established. RSA key fingerprint is b1:2d:33:67:ce:35:4d:5f:f3:a8:cd:c0:c4:48:86:12. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added '12.34.56.78' (RSA) to the list of known hosts. user@12.34.56.78's password: Now try logging into the machine, with "ssh 'user@12.34.56.78'", and check in: ~/.ssh/authorized_keys to make sure we haven't added extra keys that you weren't expecting.
5º.- Disable SSH logins for the root account
This last step is optional and is intended to further improve security. Once you have copied the SSH keys into the server and you have checked you can access it, you can disable SSH logins for the root account via SSH. This way the server can only be accessed using the SSH keys you have generated. To do so you have to open SSH’s configuration file:
sudo nano /etc/ssh/sshd_config
Within this file you will need to find the line "PermitRootLogin" and modify it to make sure access is only allowed using the SSH keys:
PermitRootLogin without-password
Finally, save and reload SSH to implement the changes:
reload ssh
Once all steps have been completed, your virtual machine will be more secure and you will only be able to access it using the SSH keys you have generated. Moreover, for further security, before closing the SSH session, you should check the connection from a different terminal window to verify it works correctly.
Need help with system administration? We can help you.
