How to use SSH keys
By enlisting the help of the network protocol SSH, secure and encrypted network connections can be created on remote devices, such as a server. This SSH connection allows users to carry out maintenance procedures via command or directly from local computers. And depending on the protocol version being used, different encryption algorithms may be employed – SSH-2, for example, uses per default AES. Before the connection can be encrypted, a successful authentication needs to be carried out. While the server issues a security certificate for the client, there are actually many ways to register the client onto the server. In addition to popular options of user names and passwords, opting for a key pair also proves popular, due to the fact that its composition incorporates both private and public SSH keys.
Public key authentication
Authentication methods with SSH keys, also referred to as public key authentications, are advantageous compared to standard password login. This method does not save used passwords on the server; instead they are only stored on public keys. This allows the private SSH key to remain safely and securely stored on one’s own computer. Such keys can be encrypted with an ID. The public key is able to verify signatures that have been generated with SSH keys, thus allowing automatic registration onto the server. Should unauthorized users gain access to the public key, deciphering the private variant based on this information is virtually impossible. As a result, relying on a key pair for SSH connection frees users from having to go through a registration dialog and also provides more robust security.
Switch to SSH keys–here’s how to do it
Taking full advantage of SSH connections requires an SSH package, such as OpenSSH for Unix, WinSCP for Windows, or PuTTY for both Unix and Windows operating systems. In addition to SSH protocol, these packages use applications that can generate SSH keys. The following step-by-step guide lays out how to set up keys pairs with OpenSSH and PuTTY.
SSH keys with OpenSSH configuration
- For starters, the SSH key needs to be generated by entering the following command:
ssh-keygen -t rsa -b 4096
These parameters determine the kind of encryption to be used, which in this particular case is RSA, and the key length (-b), although the maximum value may not exceed 4096. If no specifications are given, then standard settings will be used for generating the key. - The following dialog allows users to see and change the directory in which the SSH key is to be stored (“Enter file in which to save the key”). A passphrase for a private key can also be defined at this point (“Enter passphrase”). If you opt for using the standard directory and do not wish to create a label for your key, then leave these boxes empty and skip by pressing enter.
- Both SSH keys are now stored in different files in the abovementioned directory. The file id_rsa.pub contains the public key that now needs to be recorded onto the server in the subfolder .ssh’s file, authorized_keys. On the server, move the key into the home directory of the respective user:
scp ~/.ssh/id_rsa.pub USER@HOST.com - Log onto the server and copy the public SSH key into the right folder:
ssh USER@HOST.com
cat ~/id_rsa.pub >> ~/.ssh/authorized_keys - Now the key pair as well as the passphrase (should it be defined) should both be automatically used during the construction of the SSH connection. If this is not the case, then check to see if the rights for the folder .ssh and the file authorized_keys have been properly affixed.
- Given that public key authentication replaces normal password authentication, users are able to turn off the standard procedure in the SSH configuration file /etc/ssh/sshd_config (or also directly under /etc/, z. B. in Cygwin). Change the line “PasswordAuthentication yes” to, you guessed it, “PasswordAuthentication no” and then restart the server.
Generate SSH key with the PuTTY Key Generator
- Those using a PuTTY to establish an SSH connection have the option of employing the default tool PuTTYgen for generating key pairs. The Putty Key Generator can be found in the same directory where you installed PuTTY. Should the tool be missing, then simply download it from the PuTTY download page: PuTTY Download Page
- After getting started, select under “Parameters” the type of encryption you wish to use. For SSH-2, users are able to choose between RSA and DAS. Define the length of your desired key under “Number of bits in a generated key”.
- Next, click on “Generate” and move the cursor into the empty space of the dialog box back and forth to guarantee the individuality of the code.
- Once you’ve finished generating the key, you now have the possibility of equipping the key pair with a comment and a passphrase.
- Save both SSH keys by clicking “Save private key” and “Save public key”.
- In order to transfer the public key onto the server, connect to PuTTY with it and then copy the code from the clipboard. ("Public key for pasting into OpenSSH authorized_keys file") and paste it into the authorized_keys file.
- For the last step, enter the private SSH key into the PuTTY client. Open the configuration menu and select under "Category" > "Connection" > "SSH" > "Auth" > "Private key file authentification" the file of the private key.
Want to make your website more secure? Learn more about SSL certificates from IONOS and how they increase your site’s trustworthiness.