How to Use Private Key to Login SSH | Step by Step Guide
by Chelsea Bruhl on Sep 26, 2024
Want to connect to your servers securely? Learn how to use private key to login SSH.
Secure Shell, or SSH, is an encrypted protocol for administering and communicating with servers. When working with a Linux server, you may find yourself spending a significant amount of time in a terminal session connecting to the server using SSH.
While there are a number of other ways to log in to an SSH server, we'll focus on setting up SSH keys in this post. SSH keys are a highly secure method of connecting to your server.
In this article, MacSecurity will teach you how to use a private key to login SSH in order for you to access your servers remotely and in a secure way.
Let's begin!
Related: How to Browse Privately on the Web
How to Use Private Key to Login SSH
Traditional login credentials are replaced with a key pair consisting of a private and a public key in SSH keys. For server access, both keys are necessary. The private key is unique to each user and is kept on their device, where it is never shared with the server or another user.
The related public key can be freely shared without causing any harm. The public key can be used to encrypt messages that can only be decrypted with the private key. This attribute is used to verify the authenticity of the key pair.
SSH keys are also far more complicated than standard passwords, making them far more difficult to brute-force attacks.
What you Need to Login SSH using Private Key
Before you start, make sure that you have the following ready to go,
- An SSH client software installed on your macOS system.
- A text editor.
- Access to Terminal with administrator privileges.
- A local and remote server.
- And your private key.
Preparing your Server
To add an SSH key pair, execute the following command to create a hidden folder in your user account's home directory on your cloud server.
mkdir -p ~/.ssh
Then use the command below to limit the permissions on that directory to only yourself.
chmod 700 ~/.ssh
You may now keep your SSH keys for authentication in a secure location. However, because the keys are kept in your user's home directory, each user who wants to utilize SSH keys for authentication must repeat these procedures on their own profile.
For Linux or another OS that supports OpenSSH
If you're using Linux or another OS that supports OpenSSH, you can now continue on your own computer. Users of PuTTY should go to the next section.
Step 1 - Use the following command to generate a new key pair in a terminal.
ssh-keygen -t rsa
The key generator will ask for the location and name of the file where the key will be kept. Enter a new name or press enter to use the default. Here id_rsa is the name of our Private Key file. You can always specify a different path and name for the Private Key file. We'll utilize the default settings for our demonstration.
Step 2 - Create a passphrase for the key when prompted (Optional)
This is a basic password that will safeguard your private key if it falls into the wrong hands. You may either enter a password or proceed without one. Press enter twice to do so. It's worth noting that some automation tools may be unable to decrypt password-protected private keys.
We would have successfully generated our Key Pair at this point. We're also given a 'fingerprint' and a 'visual fingerprint' of our key, which we don't have to save.
The output will be as follows:
Step 3 - Configure the Server To Use Our Private Key
Under /home/user/.ssh, we should now have the following two files:
id_rsa : Our SSH Private Key
id_rsa.pub : Our SSH Public Key
Take note of the private key's permissions ( id_rsa ). PERMISSIONS SHOULD ALWAYS BE 600 IN SSH Private Key Files! If not, use the chmod command to set its permission to the specified value:
chmod 600 /home/user/.ssh/id_rsa
Step 4 - The next step is to set up our Server so that we can log in with our private key. This can be done manually by connecting to the server and manually configuring everything, but there is a utility called ssh-copy-id that takes care of everything for us!
As a result, simply run to configure our Server to use our new ssh keys.
ssh-copy-id USER@IP
Here,
- USER is the username we want to login as onto the server
- IP is the IP address of our Server
Step 5 - With that, we can now just SSH into our server using the following command:
ssh USER@IP
If you've previously specified a passphrase, you'll be prompted to do so again:
Note that if you're not using the default path and file names, you'll need to use the -i flag to specify the private key file:
ssh -i /path/to/private/key USER@IP
As a result, we are now able to SSH into our machine using our PRIVATE KEY!
Step 6 - Set up SSH Agent to store the keys to avoid having to re-enter the passphrase at every login (Optional)
To start the agent and add the private SSH key, use the instructions below.
ssh-agent $BASH
ssh-add ~/.ssh/id_rsa
When prompted, enter the current passcode for your key. You'll have to supply the private key's location and name if you saved it somewhere other than the default location and name.
After that, you may connect to your cloud server using the keys for authentication, and you just have to unlock the key after the computer restarts by repeating the last two steps.
Using PuTTYTray to generate a key pair (For Windows users)
If you're using Windows with PuTTYTray for SSH, you can create a fresh key pair with PuTTY's built-in key generator.
Step 1 - To get started, Install PuTTY And PuTTYgen
To convert OpenSSH keys and connect to the server through SSH, you'll need both PuTTY and PuTTYgen. From the PuTTY Download Page, you can download these two utilities separately or as a Windows installer.
Double-click the executable in the Download folder to run the PuTTY Windows installer, then continue the installation walkthrough. Most setups will be fine with the default settings. PuTTY and PuTTYgen should now be found in the Windows Programs list.
Step 2 - Click the Keygen button at the bottom of the PuTTY Configuration window.
At the bottom of the Key Generator window, make sure that the type of key to generate is set to SSH-2 RSA. The earlier SSH-1 was the standard's original version, however, it is now considered outdated. SSH-2 is supported by the majority of current servers and clients.
Step 3 - Click the Generate button to begin
For a few seconds, keep moving your cursor over the blank space in any way to help produce randomness until the progress is complete.
PuTTY will display the pair's related data as well as the public key for simple copying after the keys have been finalized.
Step 4 - (Optional) For extra security, enter a key passphrase in the two empty boxes before proceeding. If someone can duplicate your key, the pass will safeguard it from illegal usage. Some automation tools, on the other hand, may be unable to decrypt passphrase-protected private keys.
Step 5 - Save the private key by clicking the Save private key button and keeping it somewhere secure.
As long as your PC is password secured, you may put anything in your user directory. You may wish to copy the public key to your clipboard before closing the keygen, but you can always obtain it afterward. You'll need to import your new key into the PuTTY key agent now that it's saved on your computer.
To open the key manager in the PuTTY Configuration window, click the Agent button.
In the Key List, click Add Key, then navigate to the location where you stored the private key, select it, and click Open. If prompted, enter your key passcode.
This will import the key into your PuTTY client, but the public key must still be copied to your server.
Go to the SSH key directory by opening an SSH connection to your cloud server.
cd ~/.ssh/
OpenSSH searches for public keys, which are called authorized_keys. So make sure this file is created.
Step 6 - Simply right-click the SSH client window and paste the public key into the file. To allow OpenSSH to read the key, make sure it's on a single line. It's worth noting that the key type, ssh-rsa, must also be specified, as seen in the sample below.
ssh-rsa
AAAAB3NzaC1yc2EAAAABJQAAAQEA61Ak9YHhfrNe2gnHcfxTIOiHvH6A2D1dsT8h
VlFLIxsXu23AaQit8B3rGshie/sH3E5WJ7iqA6VQXsbdLwlSXJfmFQq8KGWtx7cx
C7Ft3kXerrzIk6q2Bih+GmrFLD1tCV9UrvgIditwp/BAJqtgyuGZY9wBB9NBubhQ
/KgSNpiEt0mGOCjEIy7JrATZcBXx4Ve2Jaqr3l/7FrdbLJfWYoR5LssBRzuCFGWR
0Xjuf2HgPNsLTn6lDvrYKVdo0aTvNvdTIixjB/AEgSt2y4/7sJPMqLSXq/WhA78a
g68tvmydA61ZqaGuLOPJ58icchv3prL7kCt+7lhqZyXFbllRPQ== user@server
Save the file and close the editor once you've copied the public key to the permitted keys list. By login back onto your server, you can now test the public key authentication.
Instead of being prompted for your password, you should be able to log in immediately using the key. If it still doesn't work, make sure your SSH Agent's private key is unlocked and try again.
Connect To Server With Private Key using Putty
Launch Putty and follow the below steps to connect to the server:
- Under Session, type the remote server's Host Name or IP address.
- Select Connection > SSH > Auth from the drop-down menu.
- For authentication, click Browse... under Authentication parameters / Private key file.
- Click Open to open the id_rsa.ppk private key.
- Finally, click Open to log in using key pair authentication to the remote server.
How to use Private Key to log in to Remote VM SSH
Step 1 Copy your private key to a new file named centos7template01.txt.
Step 2 Type ls to verify.
Step 3 Now, copy the file to a remote VM.
Step 4 Type yes to connect and transfer the file.
Step 5 Now SSH into the remote VM (Cent7-07).
Step 6 Type ls again to confirm if the file is copied.
Step 7 Set the permission to 600 using, chmod 600 centos7template01.txt.
Step 8 Now, use the Private Key to SSH using, ssh -i centos7template01.txt root@10.30.15.176.
Step 9 Enter Yes to connect.
Step 10 See if you get the successfully connected message. If not try again.
Turn off Password Authentication
You can disable password authentication for SSH altogether to prevent brute-forcing now that SSH key authentication has been established and tested. When you're connected to your cloud server.
Run the following command to open the SSH configuration file.
sudo nano /etc/ssh/sshd_config
Disable clear text passwords by setting the password authentication to no.
PasswordAuthentication no
Just to be cautious and avoid being locked out of your server, make sure public key authentication is enabled.
PubkeyAuthentication yes
After that, save and close the editor. To apply these modifications, use the command below to restart the SSH service.
sudo systemctl restart sshd
With that completed, your cloud server is one step closer to being secure. Attempts to connect to your server with malicious intent will be rejected since simple passwords are not permitted and brute-forcing an RSA key is very difficult.
Why should you use Public Key Authentication with SSH?
Using a Public key to log in to SSH is a safer way to connect instead of using a password. Apart from there are other benefits like,
SSH key pairs are hard to hack because SSH keys are 1024 bits long, similar to a password with 12 characters. This makes it much harder to hack, and you can even improve the number of bits when generating an SSH key to improve security.
SSH keys are generated using an algorithm that is hard to predict and hack making them secure.
The machine that contains the private is the only machine that has access to it.
Using a Public key to authenticate doesn't compromise security by sharing the contents of your private key.
If you want more security, then you can add a password to your private key for multi-factor type authentication.
How to Use Private Key to Login SSH - Conclusion
Always remember to keep your private keys secure. If you want to be extra secure, you may use the same key on numerous computers or generate fresh ones for each client connecting to your cloud server.
For safe access control, each user should produce their key pair and password. Even if one of the private keys is compromised, you won't have to replace them all if you handle them properly.
Also Read:
