Generate SSH keys and use them to log into your CentOS/ RHEL / Debian Server

SSH key login setup for Linux servers

Last updated on September 17th, 2020 at 11:49 am

In this post you’ll setup SSH keys for your server. You will setup SSH Key authentication so that you can log in via your Private and public Key.

Watch the video below or read the post below if you want to setup SSH Key authentication on your server.

Feel free to follow along with any Linux distro.

The steps of what we’ll do :

  • Generate SSH keys on our Local Linux / Mac computer
  • Copy our public key onto the Server
  • Test if we can log in via the SSH key pair
  • Disable root login and password Authentication.

Before continuing with this post, ensure you create a new Sudo user on your Linux server.

If you are using Windows, watch this video which will show you how to generate and enable SSH key pair login into your Linux Server.

Take Note :

You can generate the keys using default options whereby, the name of the keys will be the default names ( id_rsa & id_rsa.pub ) and their location will be the default location (.ssh) . Use this if you only have one server to manage or if it is your first server. For the purpose of this post,We’ll call this , Default generation of keys .

You can also change settings for where to store and how to name the keys. This is better because you can create multiple ssh key pairs for different users or servers. For the purpose of this post we’ll call this , Custom generation of keys.

In this post I will show you how to handle both scenarios, starting with default generation of keys.

A. Default generation of keys

In this case we will not change the name or location of the SSH keys. Let’s see how to generate , setup and login with our keys.

#1 Create Public and Private SSH Key pair

This part is done on your local computer NOT on the server.

First we need to generate the public and private SSH key pair. The public Key will later get added onto the server and the private key will stay on your computer.

The following command creates it in the default directory, which shall be output for you once it is created.

ssh-keygen -t rsa -b 4096 -C "[email protected]"

If you do ssh-keygen -t the key will be genrated with default key settings.

-b specifies the bits to be generated, in this case 4096 bits

-C is just a comment for the key. Read more about SSH options here.

After entering the command above, you will be asked :

Enter file in which to save the key

You can press enter to use the defaults.

Please note that if you change the name of the key or location of storage, how you login in will be slightly different. Later on, I will show you how to change the location of the key and its name and how to use it to log in.

Next you will be asked to enter a passphrase. A passphrase is like a password for your key. To improve security, enter one. Ensure you enter a passphrase/password you will remember.

Confirm the passphrase, then press enter.

You Key is now created. The path of your key will be shown to you once it is created. You can copy it or not. When we change the path and name of our keys, copying this path will be important for us. As for now, since we used the defaults, we really don’t care.

The final screenshot after generating your ssh keys:

 SSH key generate key pair on ubuntu for any Linux server

You have your private and public key. The next step is to add the public SSH key to your Linux Server.

#2 Copy keys to remote server

Next, let us copy the public key to the Server.

Continue working on your local computer. This part is still being done on your local Linux or Mac Computer.

The user you are adding the public SSH key for, should be the new sudo user you created.

Run the following to add your public key to your server.

ssh-copy-id [email protected]

For example if my ip is 127.0.0.1 and my username is newuser2020, I will add it as follows;

ssh-copy-id [email protected]

When asked for any login credentials, enter them, then press enter.

If you are on a Mac, you may need to install ssh-copy-id .

You can install ssh-copy-id using Homebrew:

brew install ssh-copy-id

If you’re lost on this, just google how to install ssh-copy-id on a Mac.

Important:

ssh-copy-id [email protected] will only work if you did not change the path or name of the SSH key pair generated above.

#3 Change Key & Directory permissions

On Linux ,SSH keys must have a permission of 600 or more. Very open permissions will make SSH to report an error and refuse to run till the security issue is rectified.

This step is done on your server.

Log into your server using the user for whom you added the SSH keys.

We will change the permissions for .ssh directory and the authorized_keys file using the following command:

sudo chmod 700 -R ~/.ssh && sudo chmod 600 ~/.ssh/authorized_keys

The authorized_keys is the file on your server which contains your public keys.

You have now added your public SSH on the Server, the next step is to ensure that you can login using your keys.

#4 Confirm you can Log into server via the Private key

Now that you have added the key for your sudo user, the next step is to log in using the private key. test it to ensure it works.

To test this, open a new terminal window, then ssh into your server as follows:

ssh [email protected]

For example if my ip is 127.0.0.1 and my username is newuser2020, I will log in as follows;

ssh [email protected]

Disallow Root Login and Password Authentication

Since you can now log in with your new sudo user using SSH keys, a good security practice is to disallow root login and password authentication on your server.this can be configured in the SSH daemon’s configuration file. Open it using nano.

sudo nano /etc/ssh/sshd_config

Look for the PermitRootLogin line, uncomment it, if it is commented. and set the value to no.

PermitRootLogin     no

Do the same for the PasswordAuthentication line, which should be uncommented already:

PasswordAuthentication      no

Save and close the file. (CTRL X to exit   and then Y  to confirm changes . And then enter)

To apply the new settings, reload SSH.

sudo systemctl reload sshd

B. Custom generation of keys.

In this next part, you will see how to change the default Key location plus name. With this method, you will have to reference the path of your keys when you log in.

The steps are all the same as above, therefore I will not provide further explanations as I did above.

#1 Generate the keys

This part is done on your local Mac or Linux PC.

First , create folder where you will store the keys. You can create it inside of .ssh directory. This is a nice way to group authentication keys for different servers or users.

I will call mine vultvesta to indicate that it is for a Server on Vultr, intended for VestaCP. Do not use sudo to create this directory.

mkdir -p $HOME/.ssh/vultvesta

Once the directory is created, the next step is to create the keys in that directory.

ssh-keygen -t rsa -b 4096 -C "[email protected]" -f $HOME/.ssh/vultvesta/firstserver_rsa

From the above command, note that:

vultvesta – This is the name of the folder I created above. Replace it with the name of your folder.

firstserver_rsa – This is the filename I want for my public and private keys. Use a name of your choice.

Then Enter passphrase and confirm passphrase.

Once it is created, copy and save the path for your keys. The path will be displayed on the terminal window once the SSH keys have been generated.

Generate the SSH keys

The created keys will be file-named firstserver_rsa and firstserver_rsa.pub. They will be stored in a folder named vultvesta .

#2 Add Public Key to the server

If you have multiple keys in your local pc use -i to specify the location of the correct keys. If you created your keys in a different directory as above also use -i to identify the public key to add to your server.

:

ssh-copy-id -i ~/path-to-public-key [email protected]

For instance, based on my created Key pair above and a newuser2020 for my ip 127.0.0.1 :

ssh-copy-id -i ~/.ssh/vultvesta/firstserver_rsa.pub  [email protected] 

If you are on a Mac, you may need to install ssh-copy-id .

You can install ssh-copy-id using Homebrew:

brew install ssh-copy-id

If you’re lost on this, just google how to install ssh-copy-id on a Mac.

#3 Change permissions

We will change the permissions for .ssh folder and the default authorized_keys file using the following command:

sudo chmod 700 -R ~/.ssh && sudo chmod 600 ~/.ssh/authorized_keys

#4 Log in via SSH key

To log in via SSH, this time round you have to add the path of your key:

ssh [email protected]_ip -i ~/.ssh/path-to-private-key

eg

ssh [email protected] -i  ~/.ssh/vultvesta/firstserver_rsa 

The -i option , enables you to choose an identity file to be used to log in.

Once you confirm you can log in successfully, disable Root Login and Password Authentication as is directed above.

Linux has SSH standards across distros :

  • The SSH keys are kept here by default: ~/.ssh
     ~ is an alias for the current users home directory. e.g., /home/myuser
  • The public key has the .pub extension.
  • known server fingerprints are written to known_hosts on your local computer & server.
    This is used to detect “man in the middle” attacks. If the host’s fingerprint changes, SSH will report an error.
  • On any Linux server,  authorized_keys is used to store public keys. You can add multiple public keys , each must be in its own line.
  • SSH keys must have a permission of 600 or more. Open permissions will make SSH to report an error and refuse to run till the security issue is rectified.

How to generate and set up SSH keys for logging into your Linux Server. You can now log into your RHEL/ CentOS / Debian / Ubuntu using SSH keys.

Comment Here