Introduction
Most folks are familiar with logging into a device or a a web page using a username and password. But a more secure method is to use a public private key exchange.
Ubuntu comes preinstalled with all the tools necessary to create public private keys. The private key is kept hidden and secure. The public key will be give out freely. It is recommend that you rotate your key pair frequently as a safety precaution.
In this article, we will look you how to generate a key pair, save your private key to a secure location, copy your public key to a remote host, troubleshoot, and introduce an auto login auto method.
Create a key pair
In order to make this work, you must have a user account already on the remote server.
Login to the Linux computer that will be the device that you will connect from. This computer is the main control computer and where you will save your private key.
Open a command line prompt and run …
ssh-keygen -t rsaAfter the keys are generated, they will be stored under:
- /home/username/.ssh/id_rsa (private key).
- /home/username/.ssh/id_rsa.pub (public key).
Store the fingerprints of the remote PC
Before we can use the keys, we need to first store the remote server’s finger prints. We do this by ssh to the remote server three times.
- Server’s host-name (i.e. server1).
- Server’s FQDN (server1.mycomapny.com).
- Server’s IP address (192.168.20.100).
ssh username@hostname, FQDN, and IP addressEach time you ssh, you will be cautioned that the server is unknown and do you want to store the fingerprint. Select yes.
The fingerprints will then be stored in a file located under the specific user at /home/username/.ssh/known_hosts.
Push the public key to the remote host
ssh-copy-id ~/.ssh/id_rsa.pub username@hostnameThis will create the ~/.ssh/authorized_keys directories, if they do not exist and place the public key inside the file.
Add a passphrase to your private key
If you add a passphrase to your key, if the key gets compromised, bad actors will need to crack the passphrase first before they can use the key. This may give you a little extra time. You can use this time to generate new keys. It is best practice to add a passphrase.
To clear a passphrase, just hit enter, when it prompts you too add a phrase.
ssh-keygen -p 
Automatically present your private key
If you add a passphrase to a key you will be prompted to enter it each time you logon to a remote server. If you have multiple servers to login to, it can become a burden.
The solution is to temporary store your passphrase. It will only be kept as log as the current session is running. If you logout of you session the temp file is auto removed.
It will be auto presented on login by running two small built in programs by using these commands.
eval $(ssh-agent)
ssh-add /home/username/.ssh/id_rsaUse a key other than the default
You can specify the file path to a specific key or if it is not stored in the default location by using the -i switch.
$ ssh -i ~/.secret/pvtkey.key username@hostname-i = identity file (aka. private key)
Troubleshoot File Permissions
- Verify .ssh and authorized keys belong to the correct user. chown -R user:user ~/.ssh
- Check permissions of files.
- Authorized_keys = 644 = loaded on the remote servers you are connecting to
- .ssh = 700
- public key = 644
- private key = 600
- known_hosts = 644
- home directory = /home/user = chmod go-w /home/user
- restart ssh after permissions update = $ service ssh restart
Remove a host from authorized_host file
If you replace a remote host that you connect to and reuse the IP address or the host name. they next time you connect you may get an error. This is because the remote host fingerprint has changed. The older fingerprint needs to be removed and and new fingerprint needs to be installed (see above).
ssh-keygen -f "/home/username/.ssh/known_hosts" -R [IP of host to remove]