How to Generate and Use SSH Keys on Ubuntu

Emmet Avatar by Emmet
Published
Ubuntu

In this tutorial, we will be showing you how to generate and use SSH keys on the Ubuntu operating system.

Ubuntu Generate SSH Keys

SSH Keys are a critical way to significantly enhance the security of your Ubuntu device’s SSH connection.

These keys are the recommended way for securely connecting to a device, over as someone would have to steal the entire SSH key to gain access to your system.

Every SSH key is a pair, where one key is used to verify the content signed by another key. The key used to encrypt the connection is called the private key. The key used to verify the contents of this connection is called the public key.

Over the following few sections, we will show you how to generate an SSH key on Ubuntu and then use it to make a connection.

Generating SSH keys on Ubuntu

Within this section, we will be showing you how to generate the SSH keys on your Ubuntu system. All the tools you need to generate these keys are already bundled with your system if it has SSH installed.

When you generate a key, it will create both private and public keys. The public key is the one you want to copy to the systems you want to connect to using the generated SSH private key.

1. Generating an SSH key on Ubuntu is straightforward, thanks to the “ssh-keygen” program. This program allows you to generate a key by using a single command.

With the following command we can generate an SSH key pair on Ubuntu using the ed25519 algorithm.

ssh-keygen -t ed25519 -a 100

Let us go over the two options used with this command and explain what they are used for.

  • -t ed25519 – Using this option, we are telling the “ssh-keygen” tool to generate this SSH key on Ubuntu using the “ed25519” algorithm.

    This algorithm has speed and security improvements over the older “RSA” algorithm and should be supported by most SSH clients.

    If you need an SSH key that uses the older RSA algorithm, then change this to “-t rsa“.
  • -a 100 – This option allows us to specify how many rounds of key derivation are to be performed on the key. The higher the rounds the more secure the resulting SSH key becomes as it is slower to generate.

    At the time of publishing setting this to “100” is a good middle ground, adding security without making using the key to slow.

2. During key generation, you will be asked a few additional questions.

The first question asks you where you want your SSH key pair to be saved on Ubuntu. By default, this will be saved into a directory called “.ssh” within your user’s home directory.

If you are happy with the default directory, press the ENTER key to continue.

Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/USERNAME/.ssh/id_ed25519):

3. If you already have an SSH key pair generated using the ED25519 algorithm you will be asked whether you want to overwrite the existing key.

If you don’t see this message, skip to the next step.

To overwrite this key, you will need to type “y” and press ENTER. Alternatively, type “n” to abort the generation process.

/home/pi/.ssh/id_ed25519 already exists.
Overwrite (y/n)?

4. You will now be asked if you want to set a passphrase for your Ubuntu SSH key. This passphrase encrypts the private key, meaning you must type it in every time you use the key.

For enhanced security, it can be useful to set a passphrase as an attacker would need to know the password even if they stole the SSH key.

We recommend you set passphrase as anything that improves security is a plus.

Enter passphrase (empty for no passphrase):

5. Before the key is generated, you must type in the same passphrase specified in the last step.

If you didn’t set a passphrase, then you press the ENTER key again.

Enter same passphrase again:

6. The SSH key will now be generated on your Ubuntu save. Once generated, you will get a message similar to the one we have below.

This message tells you information such as where it saved both the private and public SSH keys. Additionally, it also tells you the SHA256 fingerprint for the key (Used to verify the key).

The randomart is used for easier verification of an SSH key by a human since humans aren’t the best at comparing random text like the key fingerprint.

Your identification has been saved in /home/USERNAME/.ssh/id_ed25519
Your public key has been saved in /home/USERNAME/.ssh/id_ed25519.pub
The key fingerprint is:
SHA256:UWOFLkoeSJtMZzUXxM2+O7gssL15/1d4PouAZyCcKE0 USERNAME@HOSTNAME
The key's randomart image is:
+--[ED25519 256]--+
|       .ooB*.    |
|    o o  =o.o    |
|   + E  .. .     |
|    B = o.. .    |
|   . = *So   . . |
|    . + . o . . o|
|       + . = . o.|
|      . oo= + ..o|
|        o+oo.+.oo|
+----[SHA256]-----+

7. You can now see where your SSH key pair is on your Ubuntu device by using the ls command.

ls ~/.ssh/

Below is the result we got after listing the contents of our “~/.ssh/” directory. 

total 8
-rw------- 1 pi pi 411 Oct  5 08:19 id_ed25519
-rw-r--r-- 1 pi pi  96 Oct  5 08:19 id_ed25519.pub

With this result, you can see that we have successfully generated SSH keys on your Ubuntu device.

The “.pub” file is the public key you will transfer to any server you want to connect to with the SSH keys.

Copying your SSH Public Key from Ubuntu

This section will cover how you can copy your Ubuntu user’s freshly generated SSH key to another device. This process is straightforward if you already have SSH enabled on your target device.

Using “ssh-copy-id” to copy your SSH Public Key

To copy your public SSH from your Ubuntu device to your destination server, we will utilize an inbuilt SSH tool called “ssh-copy-id“. This tool greatly simplifies copying over public SSH keys from one device to another.

For this to work, you will need SSH on your remote device, with password authentication enabled.

1. To begin copying your newly generated Ubuntu SSH public key to your device, run the following command.

You will need to replace “USERNAME” with the user on the server and “REMOTE_HOST” with the IP address of that server.

ssh-copy-id USERNAME@REMOTE_HOST

For example, we used the following command to connect to our Ubuntu development server from our Ubuntu desktop.

ssh-copy-id pimyubu@192.168.0.38

2. The tool will now tell you the keys it intends to install to the system you are connecting to.

As you can see from our response below, the SSH key it intends to install is the one we just generated on Ubuntu using the “ed25519” algorithm.

/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/USERNAME/.ssh/id_ed25519.pub"

3. If this is the first time connecting to the server you will be asked to verify the authenticity of the host.

To continue with the connection, you will need to type in “yes” and press the ENTER key. 

The authenticity of host '192.168.0.38 (192.168.0.38)' can't be established.
ECDSA key fingerprint is SHA256:B5vB0UOE6KBAXV4giXD/JdgkpQZtSnk/ETiO1ZpTMR8.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

4. The “ssh-copy-id” tool will now begin the process of connecting and copying over your public key to the relevant location.

First, it will check if your Ubuntu SSH key is already installed on the remote server by attempting to log in to it.

If the login fails for any key, it will add it to the list of keys that need to be installed. In our case, it is only the one key we just generated.

You will now need to time in the password for your user to log in and complete the copying process.

/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
pimyubu@192.168.0.38's password:

5. If we successfully installed your Ubuntu user’s public SSH key, you will see a message similar to the one shown below.

You should now be able to connect to your server thanks to your SSH private key. We will use this key to authenticate your Ubuntu client with the remote server.

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'pimyubu@192.168.0.38'"
and check to make sure that only the key(s) you wanted were added.

Copying your Ubuntu SSH Public Key using SSH

If the “ssh-copy-id” tool is unavailable to you, there is another way you can copy the key while still using SSH.

While this process is still reasonably straightforward, it removes some of the automation that the “ssh-copy-id” tool performs.

1. With this, we will be using what looks like a rather lengthy command. This is because we have to pipe the contents of our Ubuntu user’s public SSH key over SSH.

Before we run it, let us quickly go over what will occur with this command. That way, you can understand everything being run on the remote device.

  • cat ~/.ssh/id_id_ed25519.pub |” –
    We start by using the cat command to grab the contents of the public key and pipe (|) it into the SSH command.
  • ssh USERNAME@REMOTE_HOST“-

    With SSH, we are issuing several commands back-to-back to the remote host.
    • mkdir -p ~/.ssh” –

      First, we run mkdir to ensure the user has a “.ssh” directory in their home.
    • touch ~/.ssh/authorized_keys” –

      We then use the touch command to ensure the “authorized_keys” file exists. This file is where any authorized public key sits.
    • chmod -R go= ~/.ssh” –

      Our next step is to ensure all of the correct permissions exist by removing group and other permissions from the “~/.ssh/” directory.
    • cat >> ~/.ssh/authorized_keys” –

      Finally, we output the contents of the public key we piped into the SSH command. The result is redirected to the end of the “authorized_keys” file.

2. Now that you understand how this command can copy your Ubuntu public SSH key to the remote server, let us now execute it.

All you need to do to copy this public key is to utilize the following within the terminal. Ensure you replace “USERNAME” with the name of your user and “REMOTE_HOST” with the IP of the remote server.

cat ~/.ssh/id_ed25519.pub | ssh USERNAME@REMOTE_HOST"mkdir -p ~/.ssh && touch ~/.ssh/authorized_keys && chmod -R go= ~/.ssh && cat >> ~/.ssh/authorized_keys"

3. If this is the first time you have performed an SSH connection to this remote server, you will be asked to verify the host.

To continue with the connection, type in “yes“, then press the ENTER key.

The authenticity of host '192.168.0.38 (192.168.0.38)' can't be established.
ECDSA key fingerprint is SHA256:B5vB0UOE6KBAXV4giXD/JdgkpQZtSnk/ETiO1ZpTMR8.
Are you sure you want to continue connecting (yes/no/[fingerprint])?

4. After the connection is made you will need to type in the password for your user.

Once you press ENTER, we will execute all the above-mentioned commands, and SSH will copy your public key to the remote server.

pimyubu@192.168.0.38's password:

Copying your Public Key Manually without SSH

Suppose you currently don’t have SSH set up on your remote device or are currently unable to connect. In that case, it is possible to copy your Ubuntu device’s public SSH key manually.

This process isn’t too painful if you use the “ed25519” algorithm, as the key is significantly shorter than RSA.

1. On your Ubuntu machine (the client), we will start by getting the contents of your newly created SSH key.

Here we will use the cat command to print the contents of the public key to the terminal.

cat ~/.ssh/id_ed25519.pub

After running the above command, you should end up with something like below in the terminal. This is the value you will need to copy over to your remote device.

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO2mPtB0Wp/oVsbbYZULVOlw+uTTWNJv7lvztKC83h3Q USERNAME@HOSTNAME

2. The following steps need to be performed on your target server. These are written for Linux systems using SSH.

Additionally, you should be running these commands as the user you intend to connect using.

3. First, we must ensure that the “.ssh” directory exists for our user on the target system.

To do this, you will want to run the following command within the terminal.

mkdir -p ~/.ssh

4. Now that we have ensured the “.ssh” directory exists, we can insert the public SSH key you generated into the “authorized_keys” file.

When typing this command, replace “SSH_PUBLIC_KEY” with the key you got in step 1 of this section. This string is the public key to authenticate a connection created using the private key.

echo SSH_PUBLIC_KEY >> ~/.ssh/authorized_keys

5. With our Ubuntu user’s public key now on this device, we need to ensure that permissions have been set up correctly.

We need to make sure that only the user has permission to access both the “.ssh” directory and the files contained within it.

We can achieve this by using the following chmod command. With the way this is written, it will remove permissions for “group” and “other“.

chmod -R go= ~/.ssh

6. You have now successfully copied your public SSH key from Ubuntu to the SSH server you want to connect to.

In the next section, we will cover exactly how easy it is to connect using SSH keys.

Connecting over SSH Using Your New SSH Key on Ubuntu

This section will show how you can connect to another device using the SSH keys you generated on your Ubuntu device.

We will assume that you have already gone through the effort of copying over your public key to the destination server. The public key is required as it verifies the connection created using your device’s private key.

1. Making an SSH connection is as straightforward as using the SSH command as you normally would.

The SSH agent will automatically grab any SSH key stored within the “.ssh” directory and use it to complete the connection.

Begin the connection by using the following command on your Ubuntu device. You will need to replace “USERNAME” with the username and “REMOTE_HOST” with the IP address of the server you want to connect to.

ssh USERNAME@REMOTE_HOST

2. If you set a passphrase for your SSH keys during generation, you will now be asked to re-enter that password.

SSH can’t begin the connection without the passphrase as the private file is encrypted using it.

3. If everything has worked correctly, you should have been able to connect over SSH without having to type in a password for that user. The SSH key you generated on your Ubuntu device will be your authentication key.

You can now enhance the security of your remote device by disabling password authentication over SSH.

Disabling Password Authentication on your Server

Once your Ubuntu user’s public SSH key is added to the remote location, you might want to disable the ability to log in using a password. However, doing this will force users to have to use an SSH key to be able to log in to a user.

The following steps should all be run on the server you are connecting to. Additionally, be warned that if you haven’t set up SSH keys correctly, this will break your SSH connection.

1. On your target server, you will want to run the following command to begin editing the SSH configuration file.

You will need to be a superuser to perform this task.

sudo nano /etc/ssh/sshd_config

2. You will want to find and modify the following line within this file. This line tells the SSH daemon that it can accept password authentication.

Using the nano text editor, you can search for this line by pressing CTRL + W.

#PubkeyAuthentication yes

Replace with the following. Removing the hashtag (#) and changing the value from “yes” to “no“.

PubkeyAuthentication no

3. Once you have changed the SSH config, you can save and quit by pressing CTRL + X, then Y, followed by the ENTER key.

4. For these changes to take effect, you will need to restart the “sshd” service. Restarting will not kill off any current SSH connections.

Restart the sshd service by using the following command.

sudo systemctl restart sshd

5. Before you close your current SSH connection, you should ensure that the SSH keys are still working properly.

You can do this by opening up a new terminal window and trying to connect to your remote host with the following command.

Ensure you replace “USERNAME” with the username and “REMOTE_HOST” with the host’s IP address.

ssh USERNAME@REMOTE_HOST

6. If you successfully connected, everything is working correctly, and it’s safe to close any current connections.

Password logins over SSH will no longer work with the remote server. Instead, any user will need an SSH key like the one you generated on your Ubuntu system.

Conclusion

Throughout this tutorial, we have shown how you can generate and use SSH keys on the Ubuntu operating system.

SSH keys are a critical way to improve the security of SSH connections. Generating and using these keys on Ubuntu will help improve the security of both your system and the one you are connecting to.

Please comment below if you have had any issues generating an SSH key on Ubuntu.

If you want to learn more, we have plenty of other Ubuntu guides. We also have guides that cover general Linux usage.

Recommended

Raspberry Pi LibreELEC Thumbnail NoWMInstalling LibreELEC on the Raspberry Pi
ARK Dedicated Server LinuxSetting up an Ark Dedicated Server on Linux
Ubuntu Edit PDF FileHow to Edit a PDF File on Ubuntu
Raspberry Pi HomebridgeUsing Homebridge on the Raspberry Pi
Raspberry Pi ScratchGetting Started with Scratch on the Raspberry Pi
Default Raspbian Username and Password ThumbnailDefault Raspbian Username and Password

Leave a Reply

Your email address will not be published. Required fields are marked *