How to Configure SSH Keys on Ubuntu 22.04

Introduction

Before we begin talking about how to configure SSH Keys on Ubuntu 22.04, let's briefly understand – What are SSH Keys?

SSH keys, short for Secure Shell keys, are a pair of cryptographic keys used to establish a secure connection between a client and a server. They provide a more secure and convenient alternative to traditional passwords for remote access.

With SSH keys, data transmitted between devices is encrypted, reducing the risk of unauthorized access. By generating a unique public and private key pair, users can authenticate themselves securely without revealing their passwords. SSH keys offer enhanced security, ease of use, and are widely employed in various systems and applications for secure remote access.

In this tutorial, you will configure SSH keys for an Ubuntu 22.04 installation. We will also address a few FAQs on how to configure SSH Keys Ubuntu 22.04.

Advantages of SSH Keys

1. Enhanced Security: SSH keys provide stronger authentication and encryption, protecting against password-based attacks.
2. Convenience: With SSH keys, you can access multiple servers without entering passwords each time, saving time and effort.
3. Automation: SSH keys enable automated processes, such as scripts and scheduled tasks, to securely access remote systems without user intervention.
4. Auditability: SSH keys offer improved accountability by allowing organizations to track and monitor key-based access activities.
5. Wide Adoption: SSH keys are widely supported across various platforms and operating systems, making them a popular choice for secure remote access.

Step 1 - Creating the Key Pair

On the client machine, which is often your PC, a key pair must first be created:

ssh-keygen

Most use cases may be secured using a 3072-bit RSA key pair, which is the default setting in recent versions of ssh-keygen (you may optionally pass in the -b 4096 flag to create a larger 4096-bit key).

You should get the following output after entering the command:

Output
Generating public/private rsa key pair.
Enter file in which to save the key (/your_home/.ssh/id_rsa):

Using the .ssh/ subdirectory in your home directory or another location, save the key pair by pressing the enter key.

This prompt might appear if you already generated an SSH key pair:

Output
/home/your_home/.ssh/id_rsa already exists.
Overwrite (y/n)?

You won't be able to authenticate using the old key any more if you decide to overwrite the key on disk. Before picking yes, exercise extreme caution because this is a harmful operation that cannot be reversed.

After that, you should see the following prompt:

Output
Enter passphrase (empty for no passphrase):

You can optionally enter a safe passcode here, which is strongly recommended. To add an extra layer of safety and prevent unauthorized users from logging in, use a passphrase.

The output should then resemble the following:

Output
Your identification has been saved in /your_home/.ssh/id_rsa
Your public key has been saved in /your_home/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:/hk7MJ5n5aiqdfTVUZr+2Qt+qCiS7BIm5Iv0dxrc3ks user@host
The key's randomart image is:
+---[RSA 3072]----+
|                .|
|               + |
|              +  |
| .           o . |
|o       S   . o  |
| + o. .oo. ..  .o|
|o = oooooEo+ ...o|
|.. o *o+=.*+o....|
|    =+=ooB=o.... |
+----[SHA256]-----+

Your public and private keys are now available for use in authentication. The public key must then be uploaded to your server in order to enable SSH key-based authentication.

Step 2 - Copying the Public Key to Your Ubuntu Server

Using the ssh-copy-id tool is the quickest way to copy your public key to the Ubuntu host. If available, this method is strongly advised due to how straightforward it is. One of the two alternative techniques listed in this section can be used if your client machine does not already have ssh-copy-id installed (copying via password-based SSH, or manually copying the key).

Copying the Public Key Using ssh-copy-id

Several operating systems come with the ssh-copy-id tool by default, thus you may have it available on your local system. You need to already have password-based SSH access to your server in order for this approach to function.

The user account to which you have password-based SSH access must be specified along with the remote host to which you want to establish a connection. The account where your public SSH key will be copied is this one.

The syntax is:

ssh-copy-id username@remote_host

The following message might appear:

Output
The authenticity of host '203.0.113.1 (203.0.113.1)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes

This indicates that the remote host is not recognized by your local computer. The first time you connect to a new host, this will occur. To proceed, enter "yes" and hit Enter.

The utility will then search your local account for the previously created id_rsa.pub key. You will be prompted for the remote user's account password after it locates the key:

Output
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
[email protected]'s password:

For security reasons, your typing will not be seen as you enter the password. Then press ENTER. With the password you supplied, the software will establish a connection to the account on the remote host. The contents of your ~/.ssh/id_rsa.pub key will then be copied into a file named authorized_keys in the home ~/.ssh directory of the remote account.

The output should be as follows:

Output
Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '[email protected]'"
and check to make sure that only the key(s) you wanted were added.

Your id_rsa.pub key has now been transferred to the remote account. Step 3 can now be reached.

Copying the Public Key Using SSH

If ssh-copy-id is not accessible, but you have password-based SSH access to a server account, you can upload your keys by using a standard SSH method.

We may accomplish this by reading the public SSH key's contents on our local machine using the cat command, then sending that information to the remote server via an SSH connection.

On the other hand, we can verify that the account we're using has the proper permissions and that the ~/.ssh directory exists.

The content we piped through can now be output into a file in this directory named authorized_keys. Instead of replacing it, we'll append it using the >> redirect symbol. This will enable us to add keys without erasing those that have already been added.

The complete command reads as follows:

cat ~/.ssh/id_rsa.pub | ssh username@remote_host "mkdir -p ~/.ssh && touch ~/.ssh/authorized_keys && chmod -R go= ~/.ssh && cat >> ~/.ssh/authorized_keys"

The following message might appear:

Output
The authenticity of host '203.0.113.1 (203.0.113.1)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes

This indicates that the remote host is not recognized by your local computer. To proceed, enter yes and hit Enter.

You should then be requested to provide the password for the remote user account:

[email protected]'s password:

Your id_rsa.pub key's contents will be copied to the end of the remote user's account's authorized_keys file when you enter your password. Step 3 should be followed if this was successful.

Copying the Public Key Manually

You will need to carry out the aforementioned procedure manually if your server does not have password-based SSH access accessible.

Your id_rsa.pub file's contents will be manually added to the ~/.ssh/authorized_keys file on your remote system.

Enter the following into your local computer to view the contents of yourid_rsa.pub key:

cat ~/.ssh/id_rsa.pub

You will see the content of the key, which should resemble this:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqql6MzstZYh1TmWWv11q5O3pISj2ZFl9HgH1JLknLLx44+tXfJ7mIrKNxOOwxIxvcBF8PXSYvobFYEZjGIVCEAjrUzLiIxbyCoxVyle7Q+bqgZ8SeeM8wzytsY+dVGcBxF6N4JS+zVk5eMcV385gG3Y6ON3EG112n6d+SMXY0OEBIcO6x+PnUSGHrSgpBgX7Ks1r7xqFa7heJLLt2wWwkARptX7udSq05paBhcpB0pHtA1Rfz3K2B+ZVIpSDfki9UVKzT8JUmwW6NNzSgxUfQHGwnW7kj4jp4AT0VZk3ADw497M2G/12N0PPB5CnhHf7ovgy6nL1ikrygTKRFmNZISvAcywB9GVqNAVE+ZHDSCuURNsAInVzgYo9xgJDW8wUw2o8U77+xiFxgI5QSZX3Iq7YLMgeksaO4rBJEa54k8m5wEiEE1nUhLuJ0X/vh2xPff6SQ1BL/zkOhvJCACK6Vb15mDOeCSq54Cr7kvS46itMosi/uS66+PujOO+xt/2FWYepz6ZlN70bRly57Q06J+ZJoc9FfBCbCyYH7U/ASsmY095ywPsBo1XQ9PqhnN1/YOorJ068foQDNVpm146mUpILVxmq41Cj55YKHEazXGsdBIbXWhcrRf4G2fJLRcGUr9q8/lERo9oxRm5JFX6TCmj6kmiFqv+Ow9gI0x8GvaQ== demo@test

Use whichever way you have available to access to your remote host.

Make sure the ~/.ssh directory is there once you have access to your account on the remote server. If the directory doesn't already exist, this command will do nothing, else it will create it:

mkdir -p ~/.ssh

Within this directory, the authorized_keys file can now be created or modified. The following command can be used to add the contents of your id_rsa.pub file to the end of the authorized_keys file, creating it if necessary:

echo public_key_string >> ~/.ssh/authorized_keys

Substitute the output from the cat ~/.ssh/id_rsa.pub command that you ran on your local system for the public_key_string in the command above. It should begin with ssh-rsa AAAA....

Next, we'll make sure that the authorized_keys file and ~/.ssh directory have the proper permissions set:

chmod -R go= ~/.ssh

By doing this, all "group" and "other" permissions for the ~/.ssh/ directory are removed recursively.

It's also crucial that the ~/.ssh directory belongs to the user and not root if you're using the root account to create keys for a user account:

chown -R sammy:sammy ~/.ssh

In this example, our user is called sammy; however, you should change the username in the command above to something more appropriate.

With our Ubuntu server, we can now test passwordless authentication.

Step 3 - Authenticating to Your Ubuntu Server Using SSH Keys

If one of the aforementioned steps was carried out successfully, you ought to be able to access the remote host without having to enter the password for the remote account.

The fundamental steps are the same:

ssh username@remote_host

If you utilized the last technique described above and this is your first connection to this host, you might see something similar to this:

Output
The authenticity of host '203.0.113.1 (203.0.113.1)' can't be established.
ECDSA key fingerprint is fd:fd:d4:f9:77:fe:73:84:e1:55:00:ad:d6:6d:22:fe.
Are you sure you want to continue connecting (yes/no)? yes

This indicates that the remote host is not recognized by your local computer. To proceed, enter yes and hit Enter.

In the absence of a private key passphrase, you will be logged in right away. You will be requested to enter the passphrase if you provided one when you created the private key (note that your keystrokes will not display in the terminal session for security). You should be able to start a new shell session on the Ubuntu server using the defined account after successfully authenticating.

Continue reading to learn how to better safeguard your system by removing password authentication if key-based authentication was successful.

Step 4 - Disabling Password Authentication on Your Server

You've successfully set up SSH-key-based authentication if you were able to access your account using SSH without entering a password. Although your password-based authentication technique is still in use, your server is still accessible.

Be sure that SSH-key-based authentication is set up for the root account on this server before proceeding with the instructions in this section, or, preferably, that SSH-key-based authentication is set up for a non-root account with sudo privileges. Making sure that you will still be able to gain administrative access is essential because this step will lock down password-based logins.

Once you've established that your remote account has administrative privileges, use SSH keys to access your remote server as root or with a user that has sudo access. Afterward, access the configuration file for the SSH daemon:

sudo nano /etc/ssh/sshd_config

Look for a directive called PasswordAuthentication in the file. A # at the beginning of the line can be used to comment out this line. Remove the # from the line to uncomment it, then change the value to no. This will prevent you from using account passwords to log in using SSH:

. . .
PasswordAuthentication no
. . .

When finished, save and close the file by using CTRL+X, Y to confirm saving the file, then ENTER to leave nano. We must restart the sshd service in order for these changes to take effect:

sudo systemctl restart ssh

Before ending your current session, create a fresh terminal window as a precaution and verify that the SSH service is operating properly:

ssh username@remote_host

You can safely close all open SSH connections once you have confirmed that your SSH service is operating as intended.

Your Ubuntu server's SSH daemon now only accepts authentication via SSH keys. Logins based on passwords are no longer permitted.

FAQs to Configure SSH Keys on Ubuntu 22.04

Conclusion

We hope this detailed tutorial helped you to configure SSH Keys on Ubuntu 22.04.

If you have any suggestions or queries, kindly leave them in the comments section.