How to Use ssh-agent to Manage Private Keys

Many cloud applications are built on the popular SSH protocol—it is widely used for managing network infrastructure, transferring files, and executing remote commands. SSH stands for Secure Socket Shell, meaning it provides a shell (command-line interface) around the connection between multiple remote hosts, ensuring that the connection is secure (encrypted and authenticated). SSH connections are available on all popular operating systems, including Linux, Ubuntu, Windows, and Debian. The protocol establishes an encrypted communication channel within an unprotected network by using a pair of public and private keys. Keys: The Foundation of SSH SSH operates on a client-server model. This means the user has an SSH client (a terminal in Linux or a graphical application in Windows), while the server side runs a daemon, which accepts incoming connections from clients. In practice, an SSH channel enables remote terminal management of a server. In other words, after a successful connection, everything entered in the local console is executed directly on the remote server. The SSH protocol uses a pair of keys for encrypting and decrypting information: public key and private key. These keys are mathematically linked. The public key is shared openly, resides on the server, and is used to encrypt data. The private key is confidential, resides on the client, and is used to decrypt data. Of course, keys are not generated manually but with special tools—keygens. These utilities generate new keys using encryption algorithms fundamental to SSH technology. More About How SSH Works Exchange of Public Keys SSH relies on symmetric encryption, meaning two hosts wishing to communicate securely generate a unique session key derived from the public and private data of each host. For example, host A generates a public and private key pair. The public key is sent to host B. Host B does the same, sending its public key to host A. Using the Diffie-Hellman algorithm, host A can create a key by combining its private key with the public key of host B. Likewise, host B can create an identical key by combining its private key with the public key of host A. This results in both hosts independently generating the same symmetric encryption key, which is then used for secure communication. Hence, the term symmetric encryption. Message Verification To verify messages, hosts use a hash function that outputs a fixed-length string based on the following data: The symmetric encryption key The packet number The encrypted message text The result of hashing these elements is called an HMAC (Hash-based Message Authentication Code). The client generates an HMAC and sends it to the server. The server then creates its own HMAC using the same data and compares it to the client's HMAC. If they match, the verification is successful, ensuring that the message is authentic and hasn't been tampered with. Host Authentication Establishing a secure connection is only part of the process. The next step is authenticating the user connecting to the remote host, as the user may not have permission to execute commands. There are several authentication methods: Password Authentication: The user sends an encrypted password to the server. If the password is correct, the server allows the user to execute commands. Certificate-Based Authentication: The user initially provides the server with a password and the public part of a certificate. Once authenticated, the session continues without requiring repeated password entries for subsequent interactions. These methods ensure that only authorized users can access the remote system while maintaining secure communication. Encryption Algorithms A key factor in the robustness of SSH is that decrypting the symmetric key is only possible with the private key, not the public key, even though the symmetric key is derived from both. Achieving this property requires specific encryption algorithms. There are three primary classes of such algorithms: RSA, DSA, and algorithms based on elliptic curves, each with distinct characteristics: RSA: Developed in 1978, RSA is based on integer factorization. Since factoring large semiprime numbers (products of two large primes) is computationally difficult, the security of RSA depends on the size of the chosen factors. The key length ranges from 1024 to 16384 bits. DSA: DSA (Digital Signature Algorithm) is based on discrete logarithms and modular exponentiation. While similar to RSA, it uses a different mathematical approach to link public and private keys. DSA key length is limited to 1024 bits. ECDSA and EdDSA: These algorithms are based on elliptic curves, unlike DSA, which uses modular exponentiation. They assume that no efficient solution exists for the discrete logarithm problem on elliptic curves. Although the keys are shorter, they provide the same level of security. Key Generation Each operating system has its own utilities for quickly generating SSH keys. In Unix-like systems, the command to generate a key pair is: ssh-keygen -t rsa Here, the type of encryption algorithm is specified using the -t flag. Other supported types include: dsa ecdsa ed25519 You can also specify the key length with the -b flag. However, be cautious, as the security of the connection depends on the key length: ssh-keygen -b 2048 -t rsa After entering the command, the terminal will prompt you to specify a file path and name for storing the generated keys. You can accept the default path by pressing Enter, which will create standard file names: id_rsa (private key) and id_rsa.pub (public key). Thus, the public key will be stored in a file with a .pub extension, while the private key will be stored in a file without an extension. Next, the command will prompt you to enter a passphrase. While not mandatory (it is unrelated to the SSH protocol itself), using a passphrase is recommended to prevent unauthorized use of the key by a third-party user on the local Linux system. Note that if a passphrase is used, you must enter it each time you establish the connection. To change the passphrase later, you can use: ssh-keygen -p Or, you can specify all parameters at once with a single command: ssh-keygen -p old_password -N new_password -f path_to_files For Windows, there are two main approaches: Using ssh-keygen from OpenSSH: The OpenSSH client provides the same ssh-keygen command as Linux, following the same steps. Using PuTTY: PuTTY is a graphical application that allows users to generate public and private keys with the press of a button. Installing the Client and Server Components The primary tool for an SSH connection on Linux platforms (both client and server) is OpenSSH. While it is typically pre-installed on most operating systems, there may be situations (such as with Ubuntu) where manual installation is necessary. The general command for installing SSH, followed by entering the superuser password, is: sudo apt-get install ssh However, in some operating systems, SSH may be divided into separate components for the client and server. For the Client To check whether the SSH client is installed on your local machine, simply run the following command in the terminal: ssh If SSH is supported, the terminal will display a description of the command. If nothing appears, you’ll need to install the client manually: sudo apt-get install openssh-client You will be prompted to enter the superuser password during installation. Once completed, SSH connectivity will be available. For the Server Similarly, the server-side part of the OpenSSH toolkit is required on the remote host. To check if the SSH server is available on your remote host, try connecting locally via SSH: ssh localhost If the SSH daemon is running, you will see a message indicating a successful connection. If not, you’ll need to install the SSH server: sudo apt-get install openssh-server As with the client, the terminal will prompt you to enter the superuser password. After installation, you can check whether SSH is active by running: sudo service ssh status Once connected, you can modify SSH settings as needed by editing the configuration file: ./ssh/sshd_config For example, you might want to change the default port to a custom one. Don’t forget that after making changes to the configuration, you must manually restart the SSH service to apply the updates: sudo service ssh restart Copying an SSH Key to the Server On Hostman, you can easily add SSH keys to your servers using the control panel. Using a Special Copy Command After generating a public SSH key, it can be used as an authorized key on a server. This allows quick connections without the need to repeatedly enter a password. The most common way to copy the key is by using the ssh-copy-id command: ssh-copy-id -i ~/.ssh/id_rsa.pub name@server_address This command assumes you used the default paths and filenames during key generation. If not, simply replace ~/.ssh/id_rsa.pub with your custom path and filename. Replace name with the username on the remote server. Replace server_address with the host address. If the usernames on both the client and server are the same, you can shorten the command: ssh-copy-id -i ~/.ssh/id_rsa.pub server_address If you set a passphrase during the SSH key creation, the terminal will prompt you to enter it. Otherwise, the key will be copied immediately. In some cases, the server may be configured to use a non-standard port (the default is 22). If that’s the case, specify the port using the -p flag: ssh-copy-id -i ~/.ssh/id_rsa.pub -p 8129 name@server_address Semi-Manual Copying There are operating systems where the ssh-copy-id command may not be supported, even though SSH connections to the server are possible. In such cases, the copying process can be done manually using a series of commands: ssh name@server_address 'mkdir -pm 700 ~/.ssh; echo ' $(cat ~/.ssh/id_rsa.pub) ' >> ~/.ssh/authorized_keys; chmod 600 ~/.ssh/authorized_keys' This sequence of commands does the following: Creates a special .ssh directory on the server (if it doesn’t already exist) with the correct permissions (700) for reading and writing. Creates or appends to the authorized_keys file, which stores the public keys of all authorized users. The public key from the local file (id_rsa.pub) will be added to it. Sets appropriate permissions (600) on the authorized_keys file to ensure it can only be read and written by the owner. If the authorized_keys file already exists, it will simply be appended with the new key. Once this is done, future connections to the server can be made using the same SSH command, but now the authentication will use the public key added to authorized_keys: ssh name@server_address Manual Copying Some hosting platforms offer server management through alternative interfaces, such as a web-based control panel. In these cases, there is usually an option to manually add a public key to the server. The web interface might even simulate a terminal for interacting with the server. Regardless of the method, the remote host must contain a file named ~/.ssh/authorized_keys, which lists all authorized public keys. Simply copy the client’s public key (found in ~/.ssh/id_rsa.pub by default) into this file. If the key pair was generated using a graphical application (typically PuTTY on Windows), you should copy the public key directly from the application and add it to the existing content in authorized_keys. Connecting to a Server To connect to a remote server on a Linux operating system, enter the following command in the terminal: ssh name@server_address Alternatively, if the local username is identical to the remote username, you can shorten the command to: ssh server_address The system will then prompt you to enter the password. Type it and press Enter. Note that the terminal will not display the password as you type it. Just like with the ssh-copy-id command, you can explicitly specify the port when connecting to a remote server: ssh client@server_address -p 8129 Once connected, you will have control over the remote machine via the terminal; any command you enter will be executed on the server side. Conclusion Today, SSH is one of the most widely used protocols in development and system administration. Therefore, having a basic understanding of its operation is crucial. This article aimed to provide an overview of SSH connections, briefly explain the encryption algorithms (RSA, DSA, ECDSA, and EdDSA), and demonstrate how public and private key pairs can be used to establish secure connections with a personal server, ensuring that exchanged messages remain inaccessible to third parties. We covered the primary commands for UNIX-like operating systems that allow users to generate key pairs and grant clients SSH access by copying the public key to the server, enabling secure connections.

SSH, an application layer protocol, is commonly used for remote access. In this article, we will explore using the SSH protocol to connect to remote Linux VPS servers and configure specific settings to enhance security. SSH can be used with any Linux distribution since it is enabled by default on most modern Unix and Linux distributions. In this guide, we tested everything on Ubuntu 22.04; however, you can also apply it to other distributions like Debian, CentOS, etc. Methods for Connecting via SSH You can use various client programs to connect to Linux servers via SSH. Some popular ones include: Windows: PuTTY, Bitvise SSH Client, SuperPuTTY, mRemoteNG, MobaXterm. macOS: Termius or the built-in SSH utility in Terminal. Windows (Windows 10, Windows 11, Windows Server 2019): The built-in OpenSSH client, accessible through the command line (cmd) or PowerShell. SSH Command Syntax The standard SSH command syntax is as follows: ssh <username@IP_or_domain> For example: ssh [email protected] By default, SSH connects via port 22. If the server uses a different port, specify it using the -p option: ssh [email protected] -p 2222 SSH Server Configuration File The SSH server configuration file is called sshd_config and is located in the /etc/ssh directory. Don't confuse it with the SSH client file ssh_config. In this article, we will focus only on the server file. SSH Password Authentication By default, SSH connections are password-based unless an SSH key was added during server creation (we'll discuss SSH keys in the next section). In most Linux/Unix distributions, the server's configuration includes PAM authentication, allowing users with system accounts to log in using their username and password. To log in using a password, you need the remote server's address and the user's credentials. For example: ssh [email protected] After entering the command, you'll be prompted for the password. If it's correct, you'll access the server. When connecting for the first time, you'll see a message about the server's "fingerprint." Enter yes to proceed. Although password authentication works, it is not the safest method, as passwords can be guessed. A more secure alternative is using SSH keys, discussed in the next section. SSH Keys Authentication SSH keys are a more secure and common method of authentication than passwords. SSH uses two types of keys: Public key: Used for encryption and can be shared publicly. Private key: Used for decryption and should be kept private. To generate SSH keys, use the command: ssh-keygen This command will prompt you to choose a directory to save the keys. By default, they are stored in the .ssh directory in your home folder. For example, in /home/alex/.ssh. You can also set a different location if needed. Press Enter to use the default path. Next, you'll be asked to create a passphrase for added security. If you prefer not to use a passphrase, press Enter when prompted. Once the keys are generated, the private key (id_rsa) and the public key (id_rsa.pub) will be stored in the .ssh directory. Before connecting to a remote host, copy the public key to that host using the ssh-copy-id command: ssh-copy-id -i /home/alex/.ssh/id_rsa.pub [email protected] You'll be prompted to enter the remote user's password once. After that, the public key will be added to the remote host, allowing you to log in without a password: ssh [email protected] If no password is requested, key-based authentication is working correctly. Disabling Password Authentication Since passwords are not secure, disabling password authentication and using only key-based access is recommended. To do this, edit the SSH server configuration file: sudo nano /etc/ssh/sshd_config Find the line PasswordAuthentication and change its value to no: PasswordAuthentication no Save the changes, then restart the SSH server: sudo systemctl restart ssh Before disabling password authentication, ensure that key-based authentication is working. If not, you may lock yourself out of the server. If this happens, you can restore password authentication via the server's web console. Changing the Default SSH Port By default, the SSH server uses port 22. You can change this by editing the sshd_config file. Find the Port line, uncomment it (remove the # symbol), and specify a new port (between 1024 and 65535): Port 2224 After saving the changes, restart the SSH server: sudo systemctl restart ssh To connect to the server on the new port, use the -p option: ssh [email protected] -p 2224 Disabling Root Login In some distributions, root login is allowed by default. Since the root user has full system privileges, it's safer to disable root login. To do this, find the line PermitRootLogin in the sshd_config file and set it to no: PermitRootLogin no Save the file and restart the SSH server: sudo systemctl restart ssh Allowing or Denying Specific Users You can restrict SSH access to specific users by editing the sshd_config file with the following parameters: AllowUsers: Specify which users are allowed to connect via SSH. For example: AllowUsers test admin DenyUsers: Specify users who are denied SSH access. For example: DenyUsers nginx websrv To apply changes, restart the SSH server: sudo systemctl restart ssh Conclusion SSH is an indispensable tool for connecting to remote servers. In addition to built-in encryption, you can further secure your SSH server by configuring it properly, such as disabling password authentication and limiting access to specific users.