Hey there! Welcome to Hostman! 🎉

Configuring SSH Keys in Ubuntu

24.11.2023
Reading time: 9 min
Hostman Team
Technical writer

By default, you use a password to connect to a server via Secure Shell (SSH). However, there are higher levels of security. We recommend configuring SSH keys to protect your system from unauthorized access.

In the article below, we'll look at SSH keys and how to connect to a remote server, for example, a Hostman one.

How Secure Shell works

Secure Shell provides a secure remote connection to the operating system. You can use it to access the shell and transfer data.

The basic configuration consists of a client and a server.

  • The client runs on the computer that establishes the connection. 

  • The server runs on the system to which you need to connect. 

A significant advantage is cross-platform. For example, you can use a client running on Linux, Windows, or macOS to connect to a server running on Ubuntu. All communications between the client and server are encrypted to prevent unauthorized parties from intercepting data.

The weakness of the basic implementation is that it depends entirely on the strength of the passphrases assigned to accounts. If an attacker learns the password, the system becomes vulnerable. SSH key-based authentication helps to address this weakness.

Benefits of using SSH keys

SSH key-based authentication uses asymmetric encryption to add an extra layer of security to remote access to a system. The concept of public key encryption was developed in 1975 by Whitfield Diffie and Martin Hellman and is based on using a pair of keys: one private key and one public key.

The public part of this pair is used to encrypt data, and only the owner of the private part of the pair can decrypt it.

When setting up SSH key-based authentication, the private part is stored on the client machine, and the corresponding public key is on the system where the SSH server is running. Protecting the private key is crucial, as possessing it will allow anyone to log into the remote system. As an additional layer of protection, the private key can also be encrypted and protected by a password that you'll need to enter each time you connect to the server.

This approach can be compared to a jigsaw puzzle. Imagine you have a picture. When you tear it into two pieces, you generate a unique pair. If you print the same picture again and tear it again, you can't reproduce the same pair.

You give one part to the host and keep the other part with you. To connect to the host, you show your piece. If it matches the piece the host has, you shake hands and exchange data. If you give the host a different fragment, it won't open a connection.

-

Creating a key pair

For example, you have a server on Hostman and need to organize secure remote management using SSH. Let's say, you decide that password verification provides insufficient security (and you are too lazy to enter a long password every time). 

The logical solution is to set up SSH key authentication. To do this, you need to generate a key pair. Let's see how to do it in different operating systems.

Linux/macOS

The easiest way to create an authentication pair on Linux and macOS is to use the built-in ssh-keygen utility.

Start the terminal and run the command:

ssh-keygen

The wizard prompts you to choose where to store the authentication data files. Press Enter to keep the default directory and file name (.ssh/id_rsa). If you want to specify a specific storage location, enter the path to it and press Enter.

The wizard will then prompt you to add a passphrase for additional protection. If you don't want to add it, press Enter.

As a result, you will get two files: one with public and one with private keys. By default, the private part is stored in the id_rsa file and the public part in the id_rsa.pub file. But you can specify any file names you want, which can be useful if you connect from the same computer to different servers that use different authentication credentials.

Windows

On Windows, you can generate keys using the PowerShell command line. In recent versions, it supports the ssh-keygen utility. The procedure is the same as on Linux and macOS.

There is an alternative way: using the PuTTY application suite. It also includes the PuTTYgen generator.

  1. Start PuTTYgen and click the Generate button. 

  2. Move the mouse pointer to generate random data. 

  3. Enter an additional passphrase to secure the private key. 

When the process is complete, save the files in suitable locations using the Save public key and Save private key buttons.

Copying the public key to the server

You should store the private key on the computer from which you will connect to the server and transfer the public key to the host you want to connect to.

If the openssh-server is not installed and running on the host, install and enable it using the following commands.

apt install openssh-server
systemctl start sshd.service
systemctl enable sshd.service

There are several ways to transfer the public key.

Using ssh-copy-id

The built-in ssh-copy-id utility helps to transfer the value of the public key automatically. This method is available on Linux and macOS.

In the terminal, run the command:

ssh-copy-id username@server_address 

The first time you connect, you may get a message that the local computer did not recognize the remote host. To remember the server, type 'yes' and press Enter. After that, the utility will check the local computer and the public key and then prompt you to enter a password. After establishing the connection, the utility will copy the private key content to ~/.ssh/authorized_keys. All public keys data is stored there. In response, the terminal should display a message like this:

Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'username@remote-host'"
and check to make sure that only the key(s) you wanted were added.

Transfer via password access

If you don't have the ssh-copy-id utility, you can copy the key via Secure Shell using the password. To do this, run the command:

cat ~/.ssh/id_rsa.pub | ssh username@server_address "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys && chmod go= ~/.ssh/authorized_keys"

It looks complicated, but it's actually a simple operation.

  1. First, you output the contents of the file: cat ~/.ssh/id_rsa.pub

  2. Next, you connect to the remote host: ssh username@server_address

  3. Then, you create a folder and file to store the public key.

This example uses the >> redirect symbol. It allows you to append the file's contents rather than overwriting it. It is useful if you are adding multiple keys.

Manual migration

If you don't have an ssh-copy-id (for example, you are using Windows), you can connect via Secure Shell by password, manually create the .ssh/authorized_keys file, and then add the public key.

Display the contents of the public key on the local machine with the command:

cat ~/.ssh/id_rsa.pub

Copy the displayed response. It should look like this:

ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDC4OSYUK5tAsjYMI4mLWDQleLz1d0IBz7G1cfsC9xnM
MNYfFUSVzjZzsPVnNKzNwcO6dFs8WiE37gUI8p/ekHghcxWzgEybtAY6LleLJh53LPB1D8YEh
92s21p7U0a8rQnGq1LCRQ0y8JFaf9PbmLWJM7llUKhc0YiOIJsQDZxX8g6KYSAaLH+z9Vj8Ag
5Hw4BHi0uWL03tX3jImC3DfU2JnzMAuA+EqGjO5eCkGvD5V2fVbpqscig2G2dmjg5E4I2Q7VD
lEkBMxG7PJSM3O/l8LnS4a2vICFj2am2Zk1jsGFi66/6yBDQZDsZ+SrCvkTRw0ZikxaRVwCmk
F6cgBJn rsa-key-20220602

Then connect to the server and create the ~/.ssh directory with the command:

mkdir -p ~/.ssh

Add the public key:

echo public_key_string >> ~/.ssh/authorized_keys

Instead of public_key_string, specify the content of id_rsa.pub, which you just copied. If the authorized_keys file doesn't exist, the system will create it automatically. If it does exist, you will insert a new string into it.

Finally, configure permissions for the ~/.ssh directory and the authorized_keys file. Remove all group and other permissions for the ~/.ssh/ directory:

chmod -R go= ~/.ssh

Set the directory owner to your user instead of root:

chown -R username:username ~/.ssh

If you plan to access the server from different clients, you can use ssh-copy-id or manually edit .ssh/authorized_keys to insert additional keys. Each line should store only one value.

Connecting with keys

Everything is ready to connect via SSH in Ubuntu. 

Start your terminal and run the command:

ssh username@server_address

The first time you connect, you may get a warning that the local computer doesn't recognize the remote host. To remember it, type yes and press Enter.

If you have set a password for the private key, you will be prompted to enter it. If there is no password, you will log in immediately.

Connecting with PuTTY

If you use Windows, you can also connect using PuTTY.

  1. Start PuTTY.

  2. On the Session tab, enter the hostname or IP.

  3. Leave the default port at 22.

  4. Select the connection type: SSH.

  5. Click the Connection -> SSH -> Auth tab.

  6. Click Browse and select the previously saved private key.

  7. Click Open to establish the connection.

If the connection is successful, PuTTY will launch its own terminal through which you can access the server.

Disabling the password

When using SSH keys in Ubuntu, you can disable password access. This will make the connection safer: if there's no password, no one can steal it and access your server.

Important: before you disable the password, make sure that the private key is securely stored and backed up. If you disable the password and then lose the private key, you will not be able to connect to the server remotely.

In Ubuntu, open the SSH key settings stored in sshd_config:

sudo nano /etc/ssh/sshd_config

Find the PasswordAuthentication line and change the value of yes to no

Restart the service to apply the configuration:

sudo service ssh restart

A strong move from a security perspective. Attackers can try to match the passphrase all they want. This authentication method no longer works. Only the user with the previously generated private key stored on his computer can connect.

Conclusion

By default, Secure Shell allows remote access using password-based authentication. This leaves the system vulnerable to anyone who can guess the password or get it by other means. 

We recommend SSH key-based authentication for maximum protection of access to the system. It is based on the concept of public and private key encryption. Users can only connect to the server from the client with a private key corresponding to the server's public key with a private key corresponding to the server's public key. As an additional layer of security, the private key can also be encrypted and password protected.