Linode Library Home
Linode Library RSS Feed
Home :: Security
Print View View Source

Use Public Key Authentication with SSH

Published: by

Public key authentication provides SSH users with the convenience of logging in to their Linodes without entering their passwords. SSH keys are also more secure than passwords, because private keys are encrypted, or scrambled, so their contents can't be read as easily. While SSH passwords are not required once keys are set up, passwords for decrypting, or unscrambling, the private keys locally are still required. For added convenience, depending on your local workstation's security, you can add the new password to your local keychain so it's saved after the first login.

Contents

Intro to SSH Keys Authentication

SSH key authentication has two parts: a public component and a private component. The public component is stored in the ~/.ssh/authorized_keys file on the remote system you want to access. The private component is located on your local machine in the /Users/user/.ssh/id_rsa.pub file.

It might be easier to think of SSH keys in terms of a lock and key. The public part is the lock, which can be copied to multiple locations as long as the private component, or key, is not compromised. Since the private key is password-protected, it is analogous to keeping a physical key in a lockbox. With this example in mind, using an SSH key works as follows. First, the lockbox/passphrase is opened to obtain the key/private key, which is then used to open the lock/public key and grant access to your Linode.

Intro to Local Encryption

Since private keys need to be kept secret to prevent unauthorized access to your Linode, it is recommended that they be encrypted on your local system. This helps guarantee that only individuals with the encryption passphrase will be able to use the private keys, even if the key itself becomes compromised. A passphrase is only used to unlock the private key locally and is not transmitted in any form to the remote host. Therefore, using unencrypted private keys is not recommended.

When you create your private key, be sure to make a note of your passphrase, as you will need it for the first login to the remote server.

Linux and Unix-like Operating Systems

The process for generating SSH keys and connecting to a remote server from a Linux, Apple OS X, or Unix-like operating system is outlined below.

Generating Keys

The process for creating keys with a recent version of the OpenSSH package is the same across many different Unix-like operating systems. This includes all Linux distributions provided by Linode, workstations running Linux, and Apple's OS X.

  1. To generate SSH keys for your host, issue the following command on your local system:

    ssh-keygen
    
  2. Answer all questions when prompted. You can accept the defaults for everything except the passphrase. When you get to the passphrase question, enter a series of letters and numbers for the passphrase twice; once to enter the new passphrase and once to confirm. Important: make a note of your passphrase, as you will need it later. You may accept the defaults for the other questions by pressing Return when prompted:

    user@linode: ssh-keygen
    Generating public/private rsa key pair.
    Enter file in which to save the key (/home/user/.ssh/id_rsa):
    Enter passphrase (empty for no passphrase):
    Enter same passphrase again:
    Your identification has been saved in /home/user/.ssh/id_rsa.
    Your public key has been saved in /home/user/.ssh/id_rsa.pub.
    The key fingerprint is:
    f6:61:a8:27:35:cf:4c:6d:13:22:70:cf:4c:c8:a0:23 user@linode
    

The newly-generated SSH keys are located in the ~/.ssh/ directory. You will find the private key in the ~/.ssh/id_rsa file and the public key in the ~/.ssh/id_rsa.pub file.

Uploading Keys

Please note that the following steps are performed on your remote location/Linode.

  1. Before you upload the keys, verify that your .ssh directory exists by using the following command from your home directory (the default directory when you log in):

    ls -al
    
  2. If the .ssh directory is present, proceed to Step 3. If the directory is not present, issue the following command in the /home/user directory to create it:

    mkdir .ssh
    

The following steps are performed on your local machine/PC:

  1. Copy the public key into the ~/.ssh/authorized_keys file on the remote machine, using the following command. Substitute your own SSH user and host names:

    scp ~/.ssh/id_rsa.pub user@example.com:/home/user/.ssh/uploaded_key.pub
    
  2. Run the following command to copy the key to the authorized_keys file. Substitute your own SSH user and host names:

    ssh user@example.com "echo `cat ~/.ssh/uploaded_key.pub` >> ~/.ssh/authorized_keys"
    

Connecting to the Remote Server

The final part in the SSH key process is to access your Linode with your new private key.

  1. Connect to the remote server.

  2. A window will appear prompting you for a password. This password is the passphrase you created for the private key encryption.

    Enter your passphrase in the password field.
  3. If you're on a private computer, you can check the Remember password in my keychain box to save your passphrase. If you are logged on via a public machine, don't check this box, as this would compromise your security and allow access to your Linode.

  4. Click the OK button.

You should now be connected to your Linode using the SSH key.

Windows Operating System

Before you can generate an SSH key, you will need to download and install PuTTYgen (puttygen.exe) and PuTTY (putty.exe). These two programs are available for download from this link: PuTTY Installer.

Installing PuTTY Key Generating

When PuTTYgen has finished downloading, it may now be installed.

  1. Double-click on the downloaded executable program and select Run to begin the installation.

    Beginning the PuTTY key gen install.
  2. Read the warning, and then select Run to continue the installation.

    Ignore installation warning.

3. After the installation is complete, you will be taken directly to the key generating screen. You do not have to change the SSH selection or the number of bits. The default selections are recommended. Click on the Generate button to create the new public/private key pair.

Generating the new public/private key pair.
  1. Once the keys begin to generate, keep moving your mouse until the entire bar fills with green. The program uses the random input from your mouse to generate a unique key.

    Move the mouse until the key generating is complete.
  2. The public key is now generated and appears in the first window.

    The public key has now been created.
  3. Before you continue, you will need to copy the newly-created public key to either WordPad or Notepad. Just select the text and copy it to a new Notepad or WordPad text file. Be sure the file is saved in a location you remember, as you will need it later.

    Copy the public key to a text file.
  4. Enter a passphrase in the Key passphrase text field, and enter it again to confirm. The passphrase can be any string of letters and numbers. The passphrase should be something unique and not easily recognized. Important: make a note of your passphrase, as you will need it later.

    Enter a new passphrase.
  5. After you have entered your passphrase, click on the Save private key button. This will save the private key to your PC.

    Click on the Save private key button.
  6. Keep the default location and name of the private key file and click on the Save button. Note that if you plan on creating multiple keys to connect to different SSH servers, you will need to save each pair of keys for each server with different names to prevent overwriting the key files. Make a note of the name and location of the private key. You'll need it in the next section.

    Saving the private key.

Connecting to the Remote Server

Now it is time to connect to your Linode with the SSH connection you just created.

  1. Launch PuTTY.

  2. Under the Connection menu, under SSH, select Auth.

    Select auth under the SSH submenu under connection.
  3. You will need to tell PuTTY the location of the private key. This may be accomplished by either clicking on the Browse button and navigating to the private key file, or by typing in the location of the file from Step 10 in the previous section.

    Enter the private key location.
  4. To establish a session, click on Session under the Category list. Enter the hostname or IP address of your Linode. Note: the SSH radio button is selected by default and the Port number field is already filled in.

    You can either save this connection as the default by clicking on the Save button, or by entering a name in the Saved Sessions text field, and clicking on the Save button.

    Saving your connection information.
  5. Click the Open button to establish a connection. You will be prompted to enter your login name and password.

  6. The combination of commands shown below will create a .ssh directory in your home directory on your Linode, create a blank authorized_keys file inside, and set the access permissions. Enter the following commands at the prompt and press Enter:

    mkdir ~/.ssh; touch ~/.ssh/authorized_keys; chmod 700 ~/.ssh
    
  7. Edit the newly-created file by using a text editor such as nano:

    nano ~/.ssh/authorized_keys
    
  8. Copy the contents of the public key from your workstation to the authorized_keys file. Be sure you save the file on exit. Exit PuTTY.

  9. Reconnect to PuTTY and Load your saved session. (Or, follow Steps 3 and 4 again to start a new SSH session.) You will be prompted to enter your login name as before. However, this time you will be prompted for your SSH key's passphrase, rather then your Linode user's password. Enter your passphrase and press Enter.

You should now be connected to your Linode using the SSH key.

Creative Commons License

This guide is licensed under a Creative Commons Attribution-NoDerivs 3.0 United States License.

Last edited by Sharon Campbell on Thursday, December 5th, 2013 (r3974).