Sign In
Sign In

How to Use SSH Keys for Authentication

How to Use SSH Keys for Authentication
Hostman Team
Technical writer
Linux Servers SSH
30.01.2025
Reading time: 10 min

Many cloud applications are built on the popular SSH protocol—it is widely used for managing network infrastructure, transferring files, and executing remote commands.

SSH stands for Secure Socket Shell, meaning it provides a shell (command-line interface) around the connection between multiple remote hosts, ensuring that the connection is secure (encrypted and authenticated).

SSH connections are available on all popular operating systems, including Linux, Ubuntu, Windows, and Debian. The protocol establishes an encrypted communication channel within an unprotected network by using a pair of public and private keys.

Keys: The Foundation of SSH

SSH operates on a client-server model. This means the user has an SSH client (a terminal in Linux or a graphical application in Windows), while the server side runs a daemon, which accepts incoming connections from clients.

In practice, an SSH channel enables remote terminal management of a server. In other words, after a successful connection, everything entered in the local console is executed directly on the remote server.

The SSH protocol uses a pair of keys for encrypting and decrypting information: public key and private key.

These keys are mathematically linked. The public key is shared openly, resides on the server, and is used to encrypt data. The private key is confidential, resides on the client, and is used to decrypt data.

Of course, keys are not generated manually but with special tools—keygens. These utilities generate new keys using encryption algorithms fundamental to SSH technology.

More About How SSH Works

Exchange of Public Keys

SSH relies on symmetric encryption, meaning two hosts wishing to communicate securely generate a unique session key derived from the public and private data of each host.

For example, host A generates a public and private key pair. The public key is sent to host B. Host B does the same, sending its public key to host A.

Using the Diffie-Hellman algorithm, host A can create a key by combining its private key with the public key of host B. Likewise, host B can create an identical key by combining its private key with the public key of host A.

This results in both hosts independently generating the same symmetric encryption key, which is then used for secure communication. Hence, the term symmetric encryption.

Message Verification

To verify messages, hosts use a hash function that outputs a fixed-length string based on the following data:

  • The symmetric encryption key
  • The packet number
  • The encrypted message text

The result of hashing these elements is called an HMAC (Hash-based Message Authentication Code). The client generates an HMAC and sends it to the server. The server then creates its own HMAC using the same data and compares it to the client's HMAC. If they match, the verification is successful, ensuring that the message is authentic and hasn't been tampered with.

Host Authentication

Establishing a secure connection is only part of the process. The next step is authenticating the user connecting to the remote host, as the user may not have permission to execute commands.

There are several authentication methods:

  • Password Authentication: The user sends an encrypted password to the server. If the password is correct, the server allows the user to execute commands.
  • Certificate-Based Authentication: The user initially provides the server with a password and the public part of a certificate. Once authenticated, the session continues without requiring repeated password entries for subsequent interactions.

These methods ensure that only authorized users can access the remote system while maintaining secure communication.

Encryption Algorithms

A key factor in the robustness of SSH is that decrypting the symmetric key is only possible with the private key, not the public key, even though the symmetric key is derived from both. Achieving this property requires specific encryption algorithms.

There are three primary classes of such algorithms: RSA, DSA, and algorithms based on elliptic curves, each with distinct characteristics:

  • RSA: Developed in 1978, RSA is based on integer factorization. Since factoring large semiprime numbers (products of two large primes) is computationally difficult, the security of RSA depends on the size of the chosen factors. The key length ranges from 1024 to 16384 bits.
  • DSA: DSA (Digital Signature Algorithm) is based on discrete logarithms and modular exponentiation. While similar to RSA, it uses a different mathematical approach to link public and private keys. DSA key length is limited to 1024 bits.
  • ECDSA and EdDSA: These algorithms are based on elliptic curves, unlike DSA, which uses modular exponentiation. They assume that no efficient solution exists for the discrete logarithm problem on elliptic curves. Although the keys are shorter, they provide the same level of security.

Key Generation

Each operating system has its own utilities for quickly generating SSH keys.

In Unix-like systems, the command to generate a key pair is:

ssh-keygen -t rsa

Here, the type of encryption algorithm is specified using the -t flag. Other supported types include:

  • dsa
  • ecdsa
  • ed25519

You can also specify the key length with the -b flag. However, be cautious, as the security of the connection depends on the key length:

ssh-keygen -b 2048 -t rsa

After entering the command, the terminal will prompt you to specify a file path and name for storing the generated keys. You can accept the default path by pressing Enter, which will create standard file names: id_rsa (private key) and id_rsa.pub (public key).

Thus, the public key will be stored in a file with a .pub extension, while the private key will be stored in a file without an extension.

Next, the command will prompt you to enter a passphrase. While not mandatory (it is unrelated to the SSH protocol itself), using a passphrase is recommended to prevent unauthorized use of the key by a third-party user on the local Linux system. Note that if a passphrase is used, you must enter it each time you establish the connection.

To change the passphrase later, you can use:

ssh-keygen -p

Or, you can specify all parameters at once with a single command:

ssh-keygen -p old_password -N new_password -f path_to_files

For Windows, there are two main approaches:

  1. Using ssh-keygen from OpenSSH: The OpenSSH client provides the same ssh-keygen command as Linux, following the same steps.

  2. Using PuTTY: PuTTY is a graphical application that allows users to generate public and private keys with the press of a button.

Installing the Client and Server Components

The primary tool for an SSH connection on Linux platforms (both client and server) is OpenSSH. While it is typically pre-installed on most operating systems, there may be situations (such as with Ubuntu) where manual installation is necessary.

The general command for installing SSH, followed by entering the superuser password, is:

sudo apt-get install ssh

However, in some operating systems, SSH may be divided into separate components for the client and server.

For the Client

To check whether the SSH client is installed on your local machine, simply run the following command in the terminal:

ssh

If SSH is supported, the terminal will display a description of the command. If nothing appears, you’ll need to install the client manually:

sudo apt-get install openssh-client

You will be prompted to enter the superuser password during installation. Once completed, SSH connectivity will be available.

For the Server

Similarly, the server-side part of the OpenSSH toolkit is required on the remote host.

To check if the SSH server is available on your remote host, try connecting locally via SSH:

ssh localhost

If the SSH daemon is running, you will see a message indicating a successful connection. If not, you’ll need to install the SSH server:

sudo apt-get install openssh-server

As with the client, the terminal will prompt you to enter the superuser password. After installation, you can check whether SSH is active by running:

sudo service ssh status

Once connected, you can modify SSH settings as needed by editing the configuration file:

./ssh/sshd_config

For example, you might want to change the default port to a custom one. Don’t forget that after making changes to the configuration, you must manually restart the SSH service to apply the updates:

sudo service ssh restart

Copying an SSH Key to the Server

On Hostman, you can easily add SSH keys to your servers using the control panel.

Using a Special Copy Command

After generating a public SSH key, it can be used as an authorized key on a server. This allows quick connections without the need to repeatedly enter a password.

The most common way to copy the key is by using the ssh-copy-id command:

ssh-copy-id -i ~/.ssh/id_rsa.pub name@server_address

This command assumes you used the default paths and filenames during key generation. If not, simply replace ~/.ssh/id_rsa.pub with your custom path and filename.

  • Replace name with the username on the remote server.

  • Replace server_address with the host address. If the usernames on both the client and server are the same, you can shorten the command:

ssh-copy-id -i ~/.ssh/id_rsa.pub server_address

If you set a passphrase during the SSH key creation, the terminal will prompt you to enter it. Otherwise, the key will be copied immediately.

In some cases, the server may be configured to use a non-standard port (the default is 22). If that’s the case, specify the port using the -p flag:

ssh-copy-id -i ~/.ssh/id_rsa.pub -p 8129 name@server_address

Semi-Manual Copying

There are operating systems where the ssh-copy-id command may not be supported, even though SSH connections to the server are possible. In such cases, the copying process can be done manually using a series of commands:

ssh name@server_address 'mkdir -pm 700 ~/.ssh; echo ' $(cat ~/.ssh/id_rsa.pub) ' >> ~/.ssh/authorized_keys; chmod 600 ~/.ssh/authorized_keys'

This sequence of commands does the following:

  1. Creates a special .ssh directory on the server (if it doesn’t already exist) with the correct permissions (700) for reading and writing.

  2. Creates or appends to the authorized_keys file, which stores the public keys of all authorized users. The public key from the local file (id_rsa.pub) will be added to it.

  3. Sets appropriate permissions (600) on the authorized_keys file to ensure it can only be read and written by the owner.

If the authorized_keys file already exists, it will simply be appended with the new key.

Once this is done, future connections to the server can be made using the same SSH command, but now the authentication will use the public key added to authorized_keys:

ssh name@server_address

Manual Copying

Some hosting platforms offer server management through alternative interfaces, such as a web-based control panel. In these cases, there is usually an option to manually add a public key to the server. The web interface might even simulate a terminal for interacting with the server.

Regardless of the method, the remote host must contain a file named ~/.ssh/authorized_keys, which lists all authorized public keys.

Simply copy the client’s public key (found in ~/.ssh/id_rsa.pub by default) into this file.

If the key pair was generated using a graphical application (typically PuTTY on Windows), you should copy the public key directly from the application and add it to the existing content in authorized_keys.

Connecting to a Server

To connect to a remote server on a Linux operating system, enter the following command in the terminal:

ssh name@server_address

Alternatively, if the local username is identical to the remote username, you can shorten the command to:

ssh server_address

The system will then prompt you to enter the password. Type it and press Enter. Note that the terminal will not display the password as you type it.

Just like with the ssh-copy-id command, you can explicitly specify the port when connecting to a remote server:

ssh client@server_address -p 8129

Once connected, you will have control over the remote machine via the terminal; any command you enter will be executed on the server side.

Conclusion

Today, SSH is one of the most widely used protocols in development and system administration. Therefore, having a basic understanding of its operation is crucial.

This article aimed to provide an overview of SSH connections, briefly explain the encryption algorithms (RSA, DSA, ECDSA, and EdDSA), and demonstrate how public and private key pairs can be used to establish secure connections with a personal server, ensuring that exchanged messages remain inaccessible to third parties.

We covered the primary commands for UNIX-like operating systems that allow users to generate key pairs and grant clients SSH access by copying the public key to the server, enabling secure connections.

Linux Servers SSH
30.01.2025
Reading time: 10 min

Similar

Linux

Installing Arch Linux in a Cloud Environment

Arch Linux is a lightweight and flexible Linux distribution that provides users with extensive opportunities for customizing and optimizing their systems. It includes a minimal amount of preinstalled software and offers a console-based interface. In most cases, it is used by experienced users: professional developers, system administrators, or hackers. This is due to the complexity of its installation and subsequent configuration, which involves adding the required packages and components to the system. However, these difficulties are justified, because in the end the user gets exactly the system and services they need. In this article, we will explain how to install Arch Linux on your cloud server and perform its basic configuration. Advantages of Arch Linux It is worth noting that Arch Linux is ideally suited as an OS for a cloud server due to its low resource requirements. This distribution also has several other advantages: System UpdatesArch Linux updates automatically when a new OS version is released. Software InstallationPackages can be downloaded both over the network and from a local disk. In addition, the installed software does not need to be specifically compatible with Arch Linux. Rich RepositoriesArch Linux offers a wide variety of packages. Today, there are over 12,000 packages in the official repositories alone. In the community repository, there are even more — over 83,000. Up-to-date DocumentationThe official Arch Linux documentation is actively updated to reflect the latest changes and innovations. This ensures accurate and relevant system information. Active CommunityThis distribution has an active user community ready to help and share their experience. There are many forums, wikis, and repositories where you can find detailed instructions and guides for installation, configuration, and troubleshooting. 1. Preparing for Installation To follow this guide and install Arch Linux, you will need: A cloud server with any operating system (in our case, Debian 11); A link to the Arch Linux image from an official source; An additional disk, which you can attach under the Plan tab in the control panel. Step 1. To install Arch Linux on the server, you must first upload its installation image from an official source in .iso format. For example: wget https://mirror.rackspace.com/archlinux/iso/2025.06.01/archlinux-2025.06.01-x86_64.iso Step 2. Next, add a new disk where the installation image will be stored. It will appear in the system as /dev/sdb. You can specify the minimum disk size. Step 3. Write the installation image to the new disk: dd if=archlinux-2025.06.01-x86_64.iso of=/dev/sdb The writing process will take some time. When finished, verify it with the following command: fdisk -l In the output, you will see that the installation image has been written to the new disk, creating two necessary partitions. Step 4. After writing the installation image, proceed to boot from it. To do this, go to the Access tab and boot the server from the recovery disk. Open the console in the control panel.  Step 5. In the console window, go to the Boot existing OS menu item and press Tab on your keyboard. This will allow you to edit the text at the bottom of the screen. Here, you need to manually replace hd0 with hd1, as shown in the figure below. After that, press Enter to launch the installation program. Step 6. In the system bootloader that appears, select the first option. 2. Partitioning the Disk Now we can partition the main disk (sda). In our case, there will be 3 partitions: a 300 MB UEFI partition (type EFI), a 700 MB swap partition (type Linux swap), and a main filesystem partition taking up all remaining space (type Linux). In your own installation, the number and size of partitions may differ depending on your requirements. Make sure there are no important files on the server’s disk, because it will be formatted later. You may also wish to back it up to preserve important data. Step 1. First, check whether there are any files on the disk you need to save: lsblk The screenshot below shows the list. For creating the described partitions, we will use a 25 GB disk — sda. It currently has Debian 11 installed, which does not contain important files. Step 2. To partition the disk, enter the following command: cfdisk /dev/sda Step 3. In the window that opens, you need to delete all existing partitions. To do this, select a partition and use the Delete button in the lower menu. Step 4. Next, select the New button in the lower menu to create a new partition. Step 5. Then specify the size of the partition to be created. In our case, this is 300 MB for UEFI. Step 6. In the next window, choose Primary. Step 7. The partition is now created, and you need to specify its type. Go to the Type menu and select EFI. Step 8. Now move to the Free space and create 2 more partitions, repeating steps 4 through 7. Partition details were listed at the beginning of this chapter. Step 9. Once all partitions have been created, go to the Write button and select it. To confirm, type yes in the field that appears. Step 10. Partitioning is now complete. To exit the tool, select the Quit button in the lower menu. Step 11. You can verify your work using the lsblk command again. Check in the output that all changes have been successfully applied. 3. Formatting and Mounting the Created Partitions At this stage, the created partitions will be formatted and mounted. Remember, all data will be erased in this process! Step 1. For the first partition, format it using the following command: mkfs.fat -F32 /dev/sda1 This command will create a FAT32 filesystem, which is the recommended format for the UEFI partition. Step 2. Next, assign it a mount point: mkdir /mnt/efi mount /dev/sda1 /mnt/efi Step 3. For the second partition, perform special formatting: mkswap /dev/sda2 Step 4. Then activate the swap partition: swapon /dev/sda2 Step 5. Finally, format the system’s root partition: mkfs.ext4 /dev/sda3 Step 6. After formatting, create its mount point: mount /dev/sda3 /mnt After completing the formatting and mounting, your partitions will be ready for installing and configuring Arch Linux and its main components. 4. Installing the Main Arch Linux Components Step 1. First, let’s install the OS and its core components: pacstrap /mnt base linux grub openssh nano dhcpcd Step 2. Once the installation finishes, you need to generate the fstab file: genfstab -U /mnt >> /mnt/etc/fstab Generating the fstab file makes partition mounting management easier and ensures automatic and consistent mounting at system startup. 5. System Configuration Step 1. To configure Arch Linux after installation, you need to chroot into the OS without rebooting: arch-chroot /mnt Step 2. First, install the nano text editor: pacman -S nano Step 3. Uncomment the encoding for English in the relevant file (you would edit locale.gen): nano /etc/locale.gen Uncomment the line for en_US.UTF-8. After this, save the changes and exit nano, then generate the locales: locale-gen To enable the English language, execute: echo "LANG=en_US.UTF-8" > /etc/locale.conf Step 4. At this step, set up the system clock. For example:  ln -sf /usr/share/zoneinfo/Europe/Nicosia /etc/localtime The region is set. Now synchronize the hardware clock: hwclock --systohc Step 5. Next, set the hostname for your system: echo "hostname" > /etc/hostname Step 6. As the second-to-last step, set the root password. Run: passwd You will be prompted to enter and confirm the password. Step 7. Lastly, set up the previously installed GRUB bootloader to boot the server: grub-install --target=i386-pc /dev/sda Then create the GRUB configuration file: grub-mkconfig -o /boot/grub/grub.cfg This command will automatically configure GRUB. Step 8. Arch Linux is now successfully installed. Exit the chroot: exit Then go to the Access tab in your control panel and switch the server to standard boot mode. After that, click Save and Reboot. You can remove the additional disk after this step. Step 9. The system will boot, but it is not ready for use yet. First, connect to the server and enable the DHCP client daemon: systemctl enable dhcpcd Then start it: systemctl start dhcpcd Make sure the service shows the status active (running). Step 10. Next, configure the SSH connection. First, create a backup of the sshd configuration: cp /etc/ssh/sshd_config /etc/ssh/backup.sshdconf Then set PermitRootLogin to Yes in the /etc/ssh/sshd_config file: nano /etc/ssh/sshd_config Finally, enable the SSH daemon: systemctl enable sshd And start it: systemctl start sshd When checking with systemctl status sshd, the service should show active (running) status. Don’t forget to add and configure SSH keys before connecting to the server. 6. Additional Configuration The installation is complete, but you can also perform additional system configuration by reviewing the official Arch Linux setup documentation. To install packages, use the command: pacman -S package_name To update the system, use: pacman -Suy Conclusion In this guide, we reviewed the process of installing Arch Linux on your cloud server and performed its basic configuration. We used a temporary Debian 11 OS and an additional disk for the installation image. By following these steps, you can create a powerful and flexible virtual environment for developing, testing, and running applications based on Arch Linux.
03 July 2025 · 8 min to read
Linux

How to Open a Port on Linux

Opening ports in Linux is an important task that allows certain services or applications to exchange data over the network. Ports act as communication gateways, allowing access to authorized services while blocking unauthorized connections. Managing ports is key to secure access, smooth app functionality, and reliable performance. Understanding Ports and Their Purpose Ports are the logical endpoints of network communication, where devices can send and receive information. HTTP uses port 80, HTTPS uses port 443, and SSH uses port 22. An open port means the service that listens for incoming network traffic is associated with it. A closed port, on the other hand, stops communication via that gateway. Maintaining availability and security requires proper management of Linux open ports. Check Existing Open Ports on Linux Before opening a port, check the open ports in Linux to see which ones are currently active. You may achieve this using several Linux commands. netstat To display open ports, run: netstat -tuln The netstat utility provides a real-time view of active network connections, displaying all listening endpoints. The -tuln flags refine the output to show only TCP and UDP ports without resolving hostnames. Note: In case netstat isn’t installed, install it via: sudo apt install net-tools ss The ss utility can also be utilized to check ports: ss -tuln Compared to netstat, the ss command is more recent and fast. It shows the ports that are in use as well as socket information. nmap For a detailed analysis of Linux open ports, use: nmap localhost The nmap utility scans the given host (localhost in this case) for open ports. This is useful for finding ports exposed to public networks. Note: You can install nmap on Linux via: sudo apt install nmap Opening Ports on Linux Firewall modification is required to grant access through a chosen endpoint. Linux provides several options for handling these tasks, including iptables, ufw, and firewalld. Here are the methods to open ports with these utilities. Method 1: Via iptables Iptables is a robust and lower level firewall utility that grants fine-grained control over network traffic. To open a port with iptables, take these steps: Add a Rule to Allow Traffic from a Specific Port  Enable HTTP access on port 8080 with this command: sudo iptables -A INPUT -p tcp --dport 8080 -j ACCEPT sudo: Execute the command as superuser. iptables: Refers to the firewall utility. -A INPUT: Inserts a rule in the input chain, controlling incoming traffic. -p tcp: Shows that the rule is for TCP traffic. --dport 8080: Points to port 8080 for the rule. ACCEPT: Specifies that incoming traffic matching the rule is accepted. This permits incoming TCP on port 8080. However, iptables changes are volatile and will be undone after reboot. Note: The iptables can be installed with persistent packages using: sudo apt install iptables iptables-persistent Save the Configuration For making the rule permanent and remain even after a system restart, store iptables rules via: sudo netfilter-persistent save This directive preserves current iptables or nftables rules such that they are preserved during reboots. Reload Changes Reload the firewall configuration as needed with: sudo netfilter-persistent reload Method 2: Via UFW Ufw (Uncomplicated Firewall) is a minimal front-end for managing iptables rules. It allows you to easily open ports with simple commands. This is how you can do it: Enable Ufw  First, ensure the ufw firewall is activated: sudo ufw enable Executing this command allows UFW to modify firewall settings. Note: UFW can be installed with: sudo apt install ufw Allow Traffic Via Specific Port  For instance, to open port 22 for SSH, use: sudo ufw allow 22/tcp sudo: Grants superuser privileges. ufw allow: Adds a rule to permit traffic. 22/tcp: Sets port 22 for communication while restricting the rule to TCP protocol. This permits access on port 22, enabling remote SSH connections. Verify the Firewall Status  To ensure the port is accessible and the rule is active, execute: sudo ufw status The status command displays all active rules, including the allowed ports. Method 3: Via Firewalld Firewalld is a dynamic firewall daemon present on Linux. It is simpler to customize the firewall rules compared to using iptables. Here’s how to enable port access via firewalld: Add a Permanent Rule for the Desired Port  To enable HTTPS access on port 443, run: sudo firewall-cmd --permanent --add-port=443/tcp firewall-cmd: Invokes the firewalld command. --permanent: Ensures the rule stays active after the firewall reloads or the system boots. --add-port=443/tcp: Opens port 443 to accept incoming TCP traffic. Note: Install firewalld on Linux via: sudo apt install firewalld Once installed, you should activate and run it: sudo systemctl enable firewalld sudo systemctl start firewalld Reload the Firewall  Finalize the settings to enable the newly defined policy: sudo firewall-cmd --reload Applying firewall modifications makes recent policy updates functional without rebooting. Verification Check whether the port is opened successfully: sudo firewall-cmd --list-all The --list-all command provides a complete list of rules, helping you determine if port 443 is open. Testing the Newly Opened Port Always check if the newly opened port is available for incoming connections. Here’s how: Using telnet Test the port opening via: telnet localhost port_number Successful access means the port is open and responsive. Using nmap Analyze the host to verify if the specified endpoint is accessible.: nmap -p port_number localhost The -p flag specifies the port to scan. Using curl Check HTTP service availability: curl localhost:port_number A successful response confirms the service is running on the opened port. Troubleshooting Common Issues Ports opening may occasionally fail due to configuration errors or conflicting software settings. Follow these tips: Verify Firewall Rules: Run iptables -L or ufw status to assess firewall restrictions and permissions. Check Service Status: Check if the assigned service is active with systemctl status <service-name>. Opening Specific Ports Based on Protocol Understanding the protocol used by the service can help configure ports more effectively. For instance, web traffic typically uses TCP (Transmission Control Protocol) for stable communication, while certain gaming services may require UDP (User Datagram Protocol) for faster packet transmission. Opening a TCP Port To access port 3306 for MySQL traffic: sudo ufw allow 3306/tcp This explicitly permits TCP traffic through port 3306, ensuring stable communication for database queries. Opening a UDP Port To access port 161 for SNMP (Simple Network Management Protocol), run: sudo ufw allow 161/udp UDP provides faster, connectionless communication, ideal for monitoring tools like SNMP. Managing Port Accessibility Once a port is opened, controlling its visibility ensures security and prevents unauthorized access. Restricting Access to Specific IPs To limit port access to a specific IP address (e.g., 192.168.1.100): sudo ufw allow from 192.168.1.100 to any port 22 This allows SSH access via port 22 only from the specified IP address, enhancing security. Closing Ports To revoke access to port 80: sudo ufw deny 80/tcp This denies incoming traffic on port 80, effectively closing it for HTTP services. Conclusion Confirming open ports in Linux is a key step for optimizing network functionality and deploying services effectively. With the use of utilities such as iptables, ufw, or firewalld, you can control traffic securely for your apps. You need to test and debug in order to confirm the port is open and working as expected. From web servers to SSH access, to other network services, port management skills ensure smooth operations and better security.
01 July 2025 · 7 min to read
Linux

NATS Installation, Configuration, and Usage Guide

NATS is a simple, fast, and lightweight message broker written in the Go programming language. NATS has several data organization features: Key-Value: Data within NATS is stored in "key-value" format, where each key corresponds to a specific value. Subjects: Data within NATS is organized into so-called "Subjects," which are named channels for message transmission. Subjects can be divided into segments with hierarchical structures. Publish/Subscribe (Pub/Sub): Data within NATS is transmitted through a model where "Publishers" send messages to "Subjects," and "Subscribers" can subscribe to these "Subjects" to receive messages. Unlike many other message brokers (such as Apache Kafka or RabbitMQ), NATS has several significant advantages: Simplicity and Performance: Messages are transmitted through a simple and fast Pub/Sub protocol. When a message is sent to a subject, all subscribers immediately receive it. This minimizes delays and other overhead costs. Stateless: Information about the state of messages transmitted through the broker is not stored within it, nor is data about subject subscribers. The absence of complex state synchronization allows NATS to scale easily. No Default Queues: In standard configuration, NATS does not form message queues. This is important in cases where data timeliness is more important than persistence. It also eliminates queue management overhead. Reliable Protocol: Messages within the broker are transmitted using the "at-most-once delivery" method. This means a subscriber either receives a message once or not at all. This increases communication reliability and prevents duplicate responses to forwarded messages. Thus, NATS enables building fast and reliable communication between multiple different services. In this guide, we will thoroughly examine how to install, configure, and correctly use NATS in projects running on Ubuntu 22.04. Downloading NATS Package Updates Before installation, it's recommended to update the list of available repositories in the system: sudo apt update Downloading the Archive Next, you need to manually download the ZIP archive with NATS from its official GitHub repository: wget https://github.com/nats-io/nats-server/releases/download/v2.10.22/nats-server-v2.10.22-linux-amd64.zip After the download is complete, you can check the file list: ls Among them will be the NATS archive: nats-server-v2.10.22-linux-amd64.zip  resize.log  snap Extracting the Archive Next, install the package that performs ZIP archive extraction: sudo apt install unzip -y The -y flag is added so that the installer automatically answers 'yes' to all questions. Now extract the NATS archive using the installed extractor: unzip nats-server-v2.10.22-linux-amd64.zip Check the file list: ls As you can see, a new folder with the archive contents has appeared: nats-server-v2.10.22-linux-amd64  nats-server-v2.10.22-linux-amd64.zip  resize.log  snap We no longer need the archive, so delete it: rm nats-server-v2.10.22-linux-amd64.zip Installing NATS Server Installation Let's look at the contents of the created folder: ls nats-server-v2.10.22-linux-amd64 Inside it is the main directory with the NATS server: LICENSE  nats-server  README.md This is what we need to copy to the system catalog with binary files: sudo mv nats-server-v2.10.22-linux-amd64/nats-server /usr/local/bin/ After copying, you need to set the appropriate access permissions: sudo chmod +x /usr/local/bin/nats-server The folder with NATS contents, like the archive, can now also be deleted: rm nats-server-v2.10.22-linux-amd64 -R Server Verification Let's verify that the NATS server is installed by requesting its version: nats-server -v A similar output should appear in the console terminal: nats-server: v2.10.22 However, this command doesn't start the server; it only returns its version. You can start the server as follows: nats-server [3704] 2024/11/07 02:59:53.908362 [INF] Starting nats-server [3704] 2024/11/07 02:59:53.908623 [INF] Version: 2.10.22 [3704] 2024/11/07 02:59:53.908669 [INF] Git: [240e9a4] [3704] 2024/11/07 02:59:53.908701 [INF] Name: NC253DIPURNIY4HUXYQYC5LLAFA6UZEBKUIWTBLLPSMICFH3E2FMSXB7 [3704] 2024/11/07 02:59:53.908725 [INF] ID: NC253DIPURNIY4HUXYQYC5LLAFA6UZEBKUIWTBLLPSMICFH3E2FMSXB7 [3704] 2024/11/07 02:59:53.909430 [INF] Listening for client connections on 0.0.0.0:4222 [3704] 2024/11/07 02:59:53.909679 [INF] Server is ready In this case, the server starts with binding to the console terminal, not as a background service. Therefore, to return to command input mode, you need to press Ctrl + C. NATS Configuration Creating a Configuration File After the broker server is started, you can create a separate directory for the NATS configuration file: mkdir /etc/nats And then create the configuration file itself: sudo nano /etc/nats/nats-server.conf Its contents will be as follows: cluster { name: "test-nats" } store_dir: "/var/lib/nats" listen: "0.0.0.0:4222" Specifically in this configuration, the most basic parameters are set: name: Server name within the NATS cluster store_dir: Path to the directory where working data will be stored listen: IP address and port that the NATS server will occupy Creating a Separate User For all directories related to NATS, you need to create a separate user: useradd -r -c 'NATS service' nats Now create the directories specified in the configuration file: mkdir /var/log/nats /var/lib/nats For each directory, assign appropriate access permissions to the previously created user: chown nats:nats /var/log/nats /var/lib/nats Creating a Background Service Earlier we started the NATS server with binding to the console terminal. In this case, when exiting the console, the server will stop working. To prevent this, you need to create a file for the systemd service: sudo nano /etc/systemd/system/nats-server.service Its contents will be: [Unit] Description=NATS message broker server After=syslog.target network.target [Service] Type=simple ExecStart=/usr/local/bin/nats-server -c /etc/nats/nats-server.conf User=nats Group=nats LimitNOFILE=65536 ExecReload=/bin/kill -HUP $MAINPID Restart=on-failure [Install] WantedBy=multi-user.target This file contains several key parameters: Description: Short description of the service ExecStart: NATS server startup command with the configuration file explicitly specified User: Name of the user created for NATS Now we need to set up the service to start up at boot:  systemctl enable nats-server --now The --now flag immediately starts the specified service. The corresponding message will appear in the console: Created symlink /etc/systemd/system/multi-user.target.wants/nats-server.service → /etc/systemd/system/nats-server.service. Now check the status of the running service: systemctl status nats-server If the NATS server service started successfully, the corresponding message will be among the console output: ... Active: active (running) ... Connecting to NATS You can connect to the NATS server through the console terminal and thus perform message broker testing. For example, publish messages or subscribe to subjects. Client Installation To manage the NATS server, you need to install the natscli client. You can download it from the official GitHub repository: wget https://github.com/nats-io/natscli/releases/download/v0.1.5/nats-0.1.5-amd64.deb After this, the downloaded archive can be extracted and installed: dpkg -i nats-0.1.5-amd64.deb The archive itself can be deleted as it's no longer needed: rm nats-0.1.5-amd64.deb Sending Messages Now you can send a message to the message broker: nats pub -s 127.0.0.1 "someSubject" "Some message" In this command, we send the message "Some message" to the subject "someSubject" to the message broker running on IP address 127.0.0.1 and located on the standard NATS port - 4222. After this, information about the sent data will appear in the console terminal: 10:59:51 Published 12 bytes to "someSubject" Reading Messages Currently, no one will see this message since there's no agent subscribed to the specified subject. We can simulate a service subscribed to the subject and reading messages using another SSH session. To do this, you need to open another console terminal, connect to the remote machine, and subscribe to the previously specified subject: nats sub -s 127.0.0.1 "someSubject" A message about successful subscription will appear in the terminal: 11:11:10 Subscribing on someSubject Now repeat sending the message from the first terminal: nats pub -s 127.0.0.1 "someSubject" "Some message" Information about the new message will appear in the second terminal: [#1] Received on "someSubject" Some message Let's send another message from the first terminal: nats pub -s 127.0.0.1 "someSubject" "Some message again" The corresponding notification will appear in the second terminal: [#2] Received on "someSubject" Some message again Note that the console output of received messages has numbering in square brackets. Go Program + NATS Let's create a small program in the Golang programming language using the NATS message broker. Installing Go First, you need to ensure that the Go compiler is installed in the system: go version If the following message appears in the console terminal, then Go is not yet installed: Command 'go' not found, but can be installed with: snap install go # version 1.23.2, or apt install golang-go # version 2:1.18~0ubuntu2 apt install gccgo-go # version 2:1.18~0ubuntu2 See 'snap info go' for additional versions. In this case, you need to download it as an archive from the official website: wget https://go.dev/dl/go1.23.3.linux-amd64.tar.gz -O go.tar.gz And then extracted: sudo tar -xzvf go.tar.gz -C /usr/local As we no longer need the downloaded archive, we can delete it: rm go.tar.gz Next, you need to add the Go compiler to the PATH variable so it can be called from the console terminal: echo export PATH=$HOME/go/bin:/usr/local/go/bin:$PATH >> ~/.profile Then apply the changes: source ~/.profile Verify that Go is installed successfully by requesting its version: go version You will see a similar output: go version go1.23.3 linux/amd64 Creating a Project Let's create a separate folder for the Golang program: mkdir nats_go Then navigate to it: cd nats_go And initialize the Go project: go mod init nats_go Installing the Module After project initialization, you need to install the NATS client from the official GitHub repository. You don't need to download anything manually; it's enough to use the built-in Golang function: go get github.com/nats-io/nats.go/ Writing Code Now you can create a file with the program code: nano nats_go.go Its contents will be: package main import ( "fmt" // module for working with console "os" // module for working with system functions "time" // module for working with time "github.com/nats-io/nats.go" // module for working with NATS server ) func main() { // get NATS server address from environment variable url := os.Getenv("NATS_URL") // if there's no address in environment variable, use default address if url == "" { url = nats.DefaultURL } // connect to NATS server nc, _ := nats.Connect(url) // defer message broker cleanup until main() function completion defer nc.Drain() // send message to subject without subscribers to ensure it disappears nc.Publish("people.philosophers", []byte("Hello, Socrates!")) // subscribe to all sub-subjects in "people" subject sub, _ := nc.SubscribeSync("people.*") // extract message msg, _ := sub.NextMsg(10 * time.Millisecond) // output message status (it's not there because it was sent before subscribing to subjects) fmt.Printf("No message? Answer: %v\n", msg == nil) // send message to "philosophers" sub-subject of "people" subject nc.Publish("people.philosophers", []byte("Hello, Socrates!")) // send message to "physicists" sub-subject of "people" subject nc.Publish("people.physicists", []byte("Hello, Feynman!")) // extract message and output to console msg, _ = sub.NextMsg(10 * time.Millisecond) fmt.Printf("Message: %q in subject %q\n", string(msg.Data), msg.Subject) // extract message and output to console msg, _ = sub.NextMsg(10 * time.Millisecond) fmt.Printf("Message: %q in subject %q\n", string(msg.Data), msg.Subject) // send message to "biologists" sub-subject of "people" subject nc.Publish("people.biologists", []byte("Hello, Darwin!")) // extract message and output to console msg, _ = sub.NextMsg(10 * time.Millisecond) fmt.Printf("Message: %q in subject %q\n", string(msg.Data), msg.Subject) } Now you can run the created program: go run . The program's output will appear in the console terminal: No message? Answer: true Message: "Hello, Socrates!" in subject "people.philosophers" Message: "Hello, Feynman!" in subject "people.physicists" Message: "Hello, Darwin!" in subject "people.biologists" Python Program + NATS As another example, let's consider using the NATS message broker in the Python programming language. First, you need to ensure that the Python interpreter is installed in the system by requesting its version: python --version The corresponding message will appear in the console: Python 3.10.12 Note that this guide uses Python version 3.10.12. Installing PIP To download the NATS client for Python, you first need to install the PIP package manager: apt install python3-pip -y The -y flag helps automatically answer positively to all questions during installation. Installing the Client Now you can install the NATS client for Python: pip install nats-py Creating a Project For the Python program, let's create a separate directory: mkdir nats_python And navigate to it: cd nats_python Writing Code Let's create a file with the program code: nano nats_python.py Its contents will be: import os import asyncio # import NATS client import nats from nats.errors import TimeoutError # get environment variable containing NATS server address servers = os.environ.get("NATS_URL", "nats://localhost:4222").split(",") async def main(): # connect to NATS server nc = await nats.connect(servers=servers) # send message to subject without subscribers to ensure it disappears await nc.publish("people.philosophers", "Hello, Socrates!".encode()) # subscribe to all sub-subjects in "people" subject sub = await nc.subscribe("people.*") try: # extract message msg = await sub.next_msg(timeout=0.1) except TimeoutError: pass # send message to "philosophers" sub-subject of "people" subject await nc.publish("people.philosophers", "Hello, Socrates!".encode()) # send message to "physicists" sub-subject of "people" subject await nc.publish("people.physicists", "Hello, Feynman!".encode()) # extract message and output to console msg = await sub.next_msg(timeout=0.1) print(f"{msg.data.decode('utf-8')} in subject {msg.subject}") # extract message and output to console msg = await sub.next_msg(timeout=0.1) print(f"{msg.data.decode('utf-8')} in subject {msg.subject}") # send message to "biologists" sub-subject of "people" subject await nc.publish("people.biologists", "Hello, Darwin!".encode()) # extract message and output to console msg = await sub.next_msg(timeout=0.1) print(f"{msg.data.decode('utf-8')} in subject {msg.subject}") # unsubscribe from subjects await sub.unsubscribe() # clean up message broker await nc.drain() if __name__ == '__main__': asyncio.run(main()) Now you can run the created script: python nats_python.py The result of its operation will be the following output in the console terminal: Hello, Socrates! in subject people.philosophers Hello, Feynman! in subject people.physicists Hello, Darwin! in subject people.biologists As you can notice, the logic of this Python program doesn't differ from the logic of the Go program. The difference is only in the syntactic constructions of the specific programming language. Conclusion This guide examined the use of the NATS message broker in sequential stages: Downloading and installing NATS from the official GitHub repository Minimal NATS server configuration Managing the NATS server through the console terminal client Using NATS in a Golang program Using NATS in a Python program We downloaded all NATS clients used in this guide (for terminal, Go, and Python) from the official NATS repository on GitHub, which hosts modules and libraries for all programming languages supported by NATS. You can find more detailed information about configuring and using NATS in the official documentation. There are also many examples of using NATS in different programming languages.
24 June 2025 · 13 min to read

Do you have questions,
comments, or concerns?

Our professionals are available to assist you at any moment,
whether you need help or are just unsure of where to start.
Email us
Hostman's Support