How To Set Up SSH Keys

A quick guide on using SSH Keys to secure your connections.

Blue Light Tech

SSH Keys

SSH keys give a more safe method of logging in to a virtual private server other than using a password alone. While a password can ultimately be cracked using a brute-force attack, SSH keys are extremely difficult to decipher by brute-force alone. Creating a key pair supplies you with two lengthy sequence of figures: public as well as a private-key. It's possible for you to set the public-key on any host, and unlock it by linking to it using a user that already has the private-key. Two-match up, the machine unlocks without the need for a password. It's possible for you to raise security even further by shielding the private key using a pass phrase.

  1. Create the RSA Key Pair
  2. Save Passphrase and the Keys
  3. Duplicate the Public Key
  4. Optional - Disable the Password

Create the RSA Key Pair

Step one would be to create the key pair on the user account (there's a high probability that this may only be your pc):

ssh-keygen -t rsa

You should get an output as shown in the image below:

Save Passphrase and the Keys

After you have entered the command, you'll get a couple more questions:

Enter file in which to save the key (/home/williams/.ssh/id_rsa):

It's possible for you to press enter here, saving the file (in this instance, my user is called williams).

Enter passphrase (empty for no passphrase):

You will see an output as the image below:

It is your decision whether you would like to make use of a pass phrase. Inputting a pass phrase has its advantages. Using a key, no matter the encryption, is still reliant on it not being accessible by a 3rd-party. By adding another layer of protection with a passphrase, even if the key manages to end up in the wrong hands, the hacker will still need to know the passphrase to use it. However, this does then require input of a password on connection, which may not suit your application requirements.

The complete key generation procedure resembles this:

Duplicate the Public Key

After the pair is created, it is time to time to put the public-key on the digital server that you would like to make use of.

It's possible for you to duplicate the public key to the brand new machine's authorized keys file with the ssh-copy-id command. Be sure to replace instance username and IP number.

ssh-copy-id demo@

Another method is to copy the keys over using the following command:

 cat ~/.ssh/ | ssh demo@ 'mkdir -p ~/.ssh && cat >>  ~/.ssh/authorized_keys'

Now it is possible to proceed and log in to demo@ and you won't be prompted for a password. But in the event you place a pass phrase, you'll be requested to go input this on connection.

Optional - Disable the Password

After you have duplicated your SSH keys unto your host and ensured you could log in with the SSH keys it is possible to limit the root log-in to just be allowed via SSH keys.

To be able to do that, start the SSH config file:

sudo nano /etc/ssh/ssh_config

Within that file, locate the line which includes PermitRootLogin (or add it if it’s not there already) and change it to ensure that users can only connect with their SSH key:

PermitRootLogin without-password

You should see this:

The ssh daemon must be reloaded to apply the changes:

reload ssh

1 Comment

Adrian - 17/11/2015 14:45:05

Simple, but worked for me! Thanks guys