Choose a different version or distribution
Introduction
Before we begin talking about how to configure SSH Keys on Ubuntu 22.04, let's briefly understand – What are SSH Keys?
SSH keys, short for Secure Shell keys, are a pair of cryptographic keys used to establish a secure connection between a client and a server. They provide a more secure and convenient alternative to traditional passwords for remote access.
With SSH keys, data transmitted between devices is encrypted, reducing the risk of unauthorized access. By generating a unique public and private key pair, users can authenticate themselves securely without revealing their passwords. SSH keys offer enhanced security, ease of use, and are widely employed in various systems and applications for secure remote access.
In this tutorial, you will configure SSH keys for an Ubuntu 22.04 installation. We will also address a few FAQs on how to configure SSH Keys Ubuntu 22.04.
Advantages of SSH Keys
- Enhanced Security: SSH keys provide stronger authentication and encryption, protecting against password-based attacks.
- Convenience: With SSH keys, you can access multiple servers without entering passwords each time, saving time and effort.
- Automation: SSH keys enable automated processes, such as scripts and scheduled tasks, to securely access remote systems without user intervention.
- Auditability: SSH keys offer improved accountability by allowing organizations to track and monitor key-based access activities.
- Wide Adoption: SSH keys are widely supported across various platforms and operating systems, making them a popular choice for secure remote access.
Step 1 - Creating the Key Pair
On the client machine, which is often your PC, a key pair must first be created:
ssh-keygen
Most use cases may be secured using a 3072-bit RSA key pair, which is the default setting in recent versions of ssh-keygen
(you may optionally pass in the -b 4096
flag to create a larger 4096-bit key).
You should get the following output after entering the command:
Output
Generating public/private rsa key pair.
Enter file in which to save the key (/your_home/.ssh/id_rsa):
Using the .ssh/
subdirectory in your home directory or another location, save the key pair by pressing the enter key.
This prompt might appear if you already generated an SSH key pair:
Output
/home/your_home/.ssh/id_rsa already exists.
Overwrite (y/n)?
You won't be able to authenticate using the old key any more if you decide to overwrite the key on disk. Before picking yes, exercise extreme caution because this is a harmful operation that cannot be reversed.
After that, you should see the following prompt:
Output
Enter passphrase (empty for no passphrase):
You can optionally enter a safe passcode here, which is strongly recommended. To add an extra layer of safety and prevent unauthorized users from logging in, use a passphrase.
The output should then resemble the following:
Output
Your identification has been saved in /your_home/.ssh/id_rsa
Your public key has been saved in /your_home/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:/hk7MJ5n5aiqdfTVUZr+2Qt+qCiS7BIm5Iv0dxrc3ks user@host
The key's randomart image is:
+---[RSA 3072]----+
| .|
| + |
| + |
| . o . |
|o S . o |
| + o. .oo. .. .o|
|o = oooooEo+ ...o|
|.. o *o+=.*+o....|
| =+=ooB=o.... |
+----[SHA256]-----+
Your public and private keys are now available for use in authentication. The public key must then be uploaded to your server in order to enable SSH key-based authentication.
Step 2 - Copying the Public Key to Your Ubuntu Server
Using the ssh-copy-id
tool is the quickest way to copy your public key to the Ubuntu host. If available, this method is strongly advised due to how straightforward it is. One of the two alternative techniques listed in this section can be used if your client machine does not already have ssh-copy-id
installed (copying via password-based SSH, or manually copying the key).
Copying the Public Key Using ssh-copy-id
Several operating systems come with the ssh-copy-id
tool by default, thus you may have it available on your local system. You need to already have password-based SSH access to your server in order for this approach to function.
The user account to which you have password-based SSH access must be specified along with the remote host to which you want to establish a connection. The account where your public SSH key will be copied is this one.
The syntax is:
ssh-copy-id username@remote_host
The following message might appear:
Output
The authenticity of host '203.0.113.1 (203.0.113.1)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes
This indicates that the remote host is not recognized by your local computer. The first time you connect to a new host, this will occur. To proceed, enter "yes" and hit Enter
.
The utility will then search your local account for the previously created id_rsa.pub
key. You will be prompted for the remote user's account password after it locates the key:
Output
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:
For security reasons, your typing will not be seen as you enter the password. Then press ENTER
. With the password you supplied, the software will establish a connection to the account on the remote host. The contents of your ~/.ssh/id_rsa.pub
key will then be copied into a file named authorized_keys
in the home ~/.ssh
directory of the remote account.
The output should be as follows:
Output
Number of key(s) added: 1
Now try logging into the machine, with: "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.
Your id_rsa.pub
key has now been transferred to the remote account. Step 3 can now be reached.
Copying the Public Key Using SSH
If ssh-copy-id
is not accessible, but you have password-based SSH access to a server account, you can upload your keys by using a standard SSH method.
We may accomplish this by reading the public SSH key's contents on our local machine using the cat
command, then sending that information to the remote server via an SSH connection.
On the other hand, we can verify that the account we're using has the proper permissions and that the ~/.ssh
directory exists.
The content we piped through can now be output into a file in this directory named authorized_keys
. Instead of replacing it, we'll append it using the >>
redirect symbol. This will enable us to add keys without erasing those that have already been added.
The complete command reads as follows:
cat ~/.ssh/id_rsa.pub | ssh username@remote_host "mkdir -p ~/.ssh && touch ~/.ssh/authorized_keys && chmod -R go= ~/.ssh && cat >> ~/.ssh/authorized_keys"
The following message might appear:
Output
The authenticity of host '203.0.113.1 (203.0.113.1)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes
This indicates that the remote host is not recognized by your local computer. To proceed, enter yes
and hit Enter
.
You should then be requested to provide the password for the remote user account:
[email protected]'s password:
Your id_rsa.pub
key's contents will be copied to the end of the remote user's account's authorized_keys
file when you enter your password. Step 3 should be followed if this was successful.
Copying the Public Key Manually
You will need to carry out the aforementioned procedure manually if your server does not have password-based SSH access accessible.
Your id_rsa.pub
file's contents will be manually added to the ~/.ssh/authorized_keys
file on your remote system.
Enter the following into your local computer to view the contents of yourid_rsa.pub
key:
cat ~/.ssh/id_rsa.pub
You will see the content of the key, which should resemble this:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqql6MzstZYh1TmWWv11q5O3pISj2ZFl9HgH1JLknLLx44+tXfJ7mIrKNxOOwxIxvcBF8PXSYvobFYEZjGIVCEAjrUzLiIxbyCoxVyle7Q+bqgZ8SeeM8wzytsY+dVGcBxF6N4JS+zVk5eMcV385gG3Y6ON3EG112n6d+SMXY0OEBIcO6x+PnUSGHrSgpBgX7Ks1r7xqFa7heJLLt2wWwkARptX7udSq05paBhcpB0pHtA1Rfz3K2B+ZVIpSDfki9UVKzT8JUmwW6NNzSgxUfQHGwnW7kj4jp4AT0VZk3ADw497M2G/12N0PPB5CnhHf7ovgy6nL1ikrygTKRFmNZISvAcywB9GVqNAVE+ZHDSCuURNsAInVzgYo9xgJDW8wUw2o8U77+xiFxgI5QSZX3Iq7YLMgeksaO4rBJEa54k8m5wEiEE1nUhLuJ0X/vh2xPff6SQ1BL/zkOhvJCACK6Vb15mDOeCSq54Cr7kvS46itMosi/uS66+PujOO+xt/2FWYepz6ZlN70bRly57Q06J+ZJoc9FfBCbCyYH7U/ASsmY095ywPsBo1XQ9PqhnN1/YOorJ068foQDNVpm146mUpILVxmq41Cj55YKHEazXGsdBIbXWhcrRf4G2fJLRcGUr9q8/lERo9oxRm5JFX6TCmj6kmiFqv+Ow9gI0x8GvaQ== demo@test
Use whichever way you have available to access to your remote host.
Make sure the ~/.ssh
directory is there once you have access to your account on the remote server. If the directory doesn't already exist, this command will do nothing, else it will create it:
mkdir -p ~/.ssh
Within this directory, the authorized_keys
file can now be created or modified. The following command can be used to add the contents of your id_rsa.pub
file to the end of the authorized_keys
file, creating it if necessary:
echo public_key_string >> ~/.ssh/authorized_keys
Substitute the output from the cat ~/.ssh/id_rsa.pub
command that you ran on your local system for the public_key_string
in the command above. It should begin with ssh-rsa AAAA...
.
Next, we'll make sure that the authorized_keys
file and ~/.ssh
directory have the proper permissions set:
chmod -R go= ~/.ssh
By doing this, all "group" and "other" permissions for the ~/.ssh/
directory are removed recursively.
It's also crucial that the ~/.ssh
directory belongs to the user and not root if you're using the root account to create keys for a user account:
chown -R sammy:sammy ~/.ssh
In this example, our user is called sammy
; however, you should change the username in the command above to something more appropriate.
With our Ubuntu server, we can now test passwordless authentication.
Step 3 - Authenticating to Your Ubuntu Server Using SSH Keys
If one of the aforementioned steps was carried out successfully, you ought to be able to access the remote host without having to enter the password for the remote account.
The fundamental steps are the same:
ssh username@remote_host
If you utilized the last technique described above and this is your first connection to this host, you might see something similar to this:
Output
The authenticity of host '203.0.113.1 (203.0.113.1)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes
This indicates that the remote host is not recognized by your local computer. To proceed, enter yes
and hit Enter
.
In the absence of a private key passphrase, you will be logged in right away. You will be requested to enter the passphrase if you provided one when you created the private key (note that your keystrokes will not display in the terminal session for security). You should be able to start a new shell session on the Ubuntu server using the defined account after successfully authenticating.
Continue reading to learn how to better safeguard your system by removing password authentication if key-based authentication was successful.
Step 4 - Disabling Password Authentication on Your Server
You've successfully set up SSH-key-based authentication if you were able to access your account using SSH without entering a password. Although your password-based authentication technique is still in use, your server is still accessible.
Be sure that SSH-key-based authentication is set up for the root account on this server before proceeding with the instructions in this section, or, preferably, that SSH-key-based authentication is set up for a non-root account with sudo
privileges. Making sure that you will still be able to gain administrative access is essential because this step will lock down password-based logins.
Once you've established that your remote account has administrative privileges, use SSH keys to access your remote server as root or with a user that has sudo
access. Afterward, access the configuration file for the SSH daemon:
sudo nano /etc/ssh/sshd_config
Look for a directive called PasswordAuthentication
in the file. A #
at the beginning of the line can be used to comment out this line. Remove the #
from the line to uncomment it, then change the value to no
. This will prevent you from using account passwords to log in using SSH:
. . .
PasswordAuthentication no
. . .
When finished, save and close the file by using CTRL+X
, Y
to confirm saving the file, then ENTER
to leave nano. We must restart the sshd
service in order for these changes to take effect:
sudo systemctl restart ssh
Before ending your current session, create a fresh terminal window as a precaution and verify that the SSH service is operating properly:
ssh username@remote_host
You can safely close all open SSH connections once you have confirmed that your SSH service is operating as intended.
Your Ubuntu server's SSH daemon now only accepts authentication via SSH keys. Logins based on passwords are no longer permitted.
FAQs to Configure SSH Keys on Ubuntu 22.04
Where are SSH keys stored on Ubuntu 22.04?
SSH keys are typically stored in the ~/.ssh
directory on Ubuntu 22.04. The private key is saved as id_rsa
and the public key as id_rsa.pub
.
How do I add my SSH public key to a remote server?
Use the ssh-copy-id
command followed by the server's IP address or hostname to copy your public key to the remote server. For example, ssh-copy-id user@remote-server
.
How do I disable password-based authentication and use SSH keys only?
Edit the SSH server configuration file (/etc/ssh/sshd_config
) on Ubuntu 22.04 and set the PasswordAuthentication
parameter to no
. Restart the SSH service for changes to take effect.
Can I use the same SSH key pair on multiple servers?
Yes, you can use the same SSH key pair on multiple servers. Simply copy the public key to the authorized_keys file on each server.
How do I change or update my SSH key on Ubuntu 22.04?
To change or update your SSH key, you need to generate a new key pair. Use the ssh-keygen
command with appropriate options, then replace the old key with the new one on the server.
Can I protect my SSH private key with a passphrase?
Yes, it is highly recommended to protect your SSH private key with a passphrase. This adds an extra layer of security by encrypting the private key with the passphrase.
How do I troubleshoot SSH key authentication issues?
Check file permissions of the SSH key files, ensure the public key is correctly added to the authorized_keys file on the server, and verify SSH server configuration settings.
Conclusion
We hope this detailed tutorial helped you to configure SSH Keys on Ubuntu 22.04.
If you have any suggestions or queries, kindly leave them in the comments section.