Public key authentication provides SSH users with the convenience of logging in to their Linodes without entering their passwords. SSH keys are also more secure than passwords, because private keys are encrypted, or scrambled, so their contents can't be read as easily. While SSH passwords are not required once keys are set up, passwords for decrypting, or unscrambling, the private keys locally are still required. For added convenience, depending on your local workstation's security, you can add the new password to your local keychain so it's saved after the first login.
SSH key authentication has two parts: a public component and a private component. The public component is stored in the ~/.ssh/authorized_keys file on the remote system you want to access. The private component is located on your local machine in the /Users/user/.ssh/id_rsa.pub file.
It might be easier to think of SSH keys in terms of a lock and key. The public part is the lock, which can be copied to multiple locations as long as the private component, or key, is not compromised. Since the private key is password-protected, it is analogous to keeping a physical key in a lockbox. With this example in mind, using an SSH key works as follows. First, the lockbox/passphrase is opened to obtain the key/private key, which is then used to open the lock/public key and grant access to your Linode.
Since private keys need to be kept secret to prevent unauthorized access to your Linode, it is recommended that they be encrypted on your local system. This helps guarantee that only individuals with the encryption passphrase will be able to use the private keys, even if the key itself becomes compromised. A passphrase is only used to unlock the private key locally and is not transmitted in any form to the remote host. Therefore, using unencrypted private keys is not recommended.
When you create your private key, be sure to make a note of your passphrase, as you will need it for the first login to the remote server.
The process for generating SSH keys and connecting to a remote server from a Linux, Apple OS X, or Unix-like operating system is outlined below.
The process for creating keys with a recent version of the OpenSSH package is the same across many different Unix-like operating systems. This includes all Linux distributions provided by Linode, workstations running Linux, and Apple's OS X.
To generate SSH keys for your host, issue the following command on your local system:
Answer all questions when prompted. You can accept the defaults for everything except the passphrase. When you get to the passphrase question, enter a series of letters and numbers for the passphrase twice; once to enter the new passphrase and once to confirm. Important: make a note of your passphrase, as you will need it later. You may accept the defaults for the other questions by pressing Return when prompted:
user@linode: ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_rsa. Your public key has been saved in /home/user/.ssh/id_rsa.pub. The key fingerprint is: f6:61:a8:27:35:cf:4c:6d:13:22:70:cf:4c:c8:a0:23 user@linode
The newly-generated SSH keys are located in the ~/.ssh/ directory. You will find the private key in the ~/.ssh/id_rsa file and the public key in the ~/.ssh/id_rsa.pub file.
Please note that the following steps are performed on your remote location/Linode.
Before you upload the keys, verify that your .ssh directory exists by using the following command from your home directory (the default directory when you log in):
If the .ssh directory is present, proceed to Step 3. If the directory is not present, issue the following command in the /home/user directory to create it:
The following steps are performed on your local machine/PC:
Copy the public key into the ~/.ssh/authorized_keys file on the remote machine, using the following command. Substitute your own SSH user and host names:
scp ~/.ssh/id_rsa.pub firstname.lastname@example.org:/home/user/.ssh/uploaded_key.pub
Run the following command to copy the key to the authorized_keys file. Substitute your own SSH user and host names:
ssh email@example.com "echo `cat ~/.ssh/uploaded_key.pub` >> ~/.ssh/authorized_keys"
The final part in the SSH key process is to access your Linode with your new private key.
Connect to the remote server.
A window will appear prompting you for a password. This password is the passphrase you created for the private key encryption.
If you're on a private computer, you can check the Remember password in my keychain box to save your passphrase. If you are logged on via a public machine, don't check this box, as this would compromise your security and allow access to your Linode.
Click the OK button.
You should now be connected to your Linode using the SSH key.
Before you can generate an SSH key, you will need to download and install PuTTYgen (puttygen.exe) and PuTTY (putty.exe). These two programs are available for download from this link: PuTTY Installer.
When PuTTYgen has finished downloading, it may now be installed.
Double-click on the downloaded executable program and select Run to begin the installation.
Read the warning, and then select Run to continue the installation.
3. After the installation is complete, you will be taken directly to the key generating screen. You do not have to change the SSH selection or the number of bits. The default selections are recommended. Click on the Generate button to create the new public/private key pair.
Once the keys begin to generate, keep moving your mouse until the entire bar fills with green. The program uses the random input from your mouse to generate a unique key.
The public key is now generated and appears in the first window.
Before you continue, you will need to copy the newly-created public key to either WordPad or Notepad. Just select the text and copy it to a new Notepad or WordPad text file. Be sure the file is saved in a location you remember, as you will need it later.
Enter a passphrase in the Key passphrase text field, and enter it again to confirm. The passphrase can be any string of letters and numbers. The passphrase should be something unique and not easily recognized. Important: make a note of your passphrase, as you will need it later.
After you have entered your passphrase, click on the Save private key button. This will save the private key to your PC.
Keep the default location and name of the private key file and click on the Save button. Note that if you plan on creating multiple keys to connect to different SSH servers, you will need to save each pair of keys for each server with different names to prevent overwriting the key files. Make a note of the name and location of the private key. You'll need it in the next section.
Now it is time to connect to your Linode with the SSH connection you just created.
Under the Connection menu, under SSH, select Auth.
You will need to tell PuTTY the location of the private key. This may be accomplished by either clicking on the Browse button and navigating to the private key file, or by typing in the location of the file from Step 10 in the previous section.
To establish a session, click on Session under the Category list. Enter the hostname or IP address of your Linode. Note: the SSH radio button is selected by default and the Port number field is already filled in.
You can either save this connection as the default by clicking on the Save button, or by entering a name in the Saved Sessions text field, and clicking on the Save button.
Click the Open button to establish a connection. You will be prompted to enter your login name and password.
The combination of commands shown below will create a .ssh directory in your home directory on your Linode, create a blank authorized_keys file inside, and set the access permissions. Enter the following commands at the prompt and press Enter:
mkdir ~/.ssh; touch ~/.ssh/authorized_keys; chmod 700 ~/.ssh
Edit the newly-created file by using a text editor such as nano:
Copy the contents of the public key from your workstation to the authorized_keys file. Be sure you save the file on exit. Exit PuTTY.
Reconnect to PuTTY and Load your saved session. (Or, follow Steps 3 and 4 again to start a new SSH session.) You will be prompted to enter your login name as before. However, this time you will be prompted for your SSH key's passphrase, rather then your Linode user's password. Enter your passphrase and press Enter.
You should now be connected to your Linode using the SSH key.
This guide is licensed under a Creative Commons Attribution-NoDerivs 3.0 United States License.
Last edited by Sharon Campbell on Thursday, December 5th, 2013 (r3974).