How to Generate SSH Keys on Ubuntu

March 7, 2024

Introduction

An SSH (Secure Shell) connection is essential for effectively managing a remote server. SSH keys, which consist of a public-private key pair, facilitate encrypted communication and serve as access credentials to establish a secure connection.

Learn how to generate SSH keys on Ubuntu and set up key-based authentication to connect to a remote server without a password.

How to generate SSH keys on Ubuntu.

Prerequisites

Note: For more information about what SSH is, how it works, and why it is used, refer to our guide How Does SSH Work.

How to Generate and Set Up SSH Keys on Ubuntu

The SSH key generation process creates two keys:

  • Public key. Installed on the server, allows the server to recognize and authenticate the client based on the matching private key.
  • Private key. Must be kept secure. It is crucial for the authentication process to ensure that you are the only person who can authenticate to the server.

Follow the steps below to create the public-private key pair.

Generate SSH Key Pair

Generate a pair of SSH keys on the client system. The client system is the machine that connects to the SSH server.

1. Create a directory named .ssh in the home directory. The -p option ensures the system does not return an error if the directory exists:

mkdir -p $HOME/.ssh

2. Change permissions of the directory to give the user read, write, and execute privileges:

chmod 0700 $HOME/.ssh

3. Execute the ssh-keygen command to create an RSA key pair:

ssh-keygen

4. When prompted, provide the path to the key file. If you press Enter without typing a file path, the key will be stored in the .ssh directory under the default file name id_rsa.

5. The system asks you to create a passphrase as an added layer of security. Input a memorable passphrase, and press Enter.

The output shows that the keys have been created successfully.

The output of the ssh-keygen command shows that the key pair has been generated successfully.

Alternatively, create keys using the RSA 4096 encryption for extra security:

ssh-keygen -t rsa -b 4096

Note: If a key pair with the same name exists, new keys will overwrite the information in the file, and the old keys will no longer work.

Copy Public Key to Ubuntu Server

After obtaining the key pair, copy the public key to the remote Ubuntu server using one of the following methods.

Using ssh-copy-id Script

The ssh-copy-id script is designed to automatically:

  • Log into the remote server via SSH.
  • Create the .ssh directory and authorized_keys file on the remote server and set the correct permissions.
  • Append the key to the authorized_keys file.

Note: To use the ssh-copy-id tool, you need the remote server's IP address. Learn how to find IP addresses in Linux systems.

1. Use the ssh-copy-id command on the client system to copy the key to the remote Ubuntu server. Enter the -i option to specify the path to the SSH key:

ssh-copy-id -i [ssh-key-location] [username]@[server-ip-address]

Replace [ssh-key-location] with the path to your public SSH key, [username] with the remote server's username and [server-ip-address] with the remote server's IP.

Note: The default SSH key path is ~/.ssh/id_rsa.pub. If your public key is located elsewhere or named differently, change the path accordingly.

2. A message stating that the authenticity of the host cannot be established may appear when connecting to the server for the first time. Type yes and press Enter to proceed.

3. When prompted, enter the password for the user account on the server to authorize copying the SSH public key.

Copying the credentials to the server using the ssh-copy-id command.

The system copies the contents of the ~/.ssh/id_rsa.pub from the client system into the ~/.ssh/authorized_keys file on the server.

Copy Public Key Manually

If a system does not have the ssh-copy-id command, you can manually copy and add the public key to the remote server's authorized_keys file.

1. Use the following command to display the public key:

cat ~/.ssh/id_rsa.pub
Manually copying the public SSH key.

2. Use the mouse to select the entire key, then press Ctrl+Shift+C to copy it.

3. Log in to the SSH server using password authentication:

ssh [username]@[remote_host]

Note: If the password authentication is disabled on the server, you cannot establish an SSH connection manually. The only way to access the server remotely is via a console. If you do not have console access, the server is unreachable, and the process cannot be completed.

4. Create the .ssh directory and the authorized_keys file on the remote server:

mkdir -p ~/.ssh && touch ~/.ssh/authorized_keys

5. Set the necessary permissions:

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

6. Append the previously copied public key to the authorized_keys file on the remote server. If connected via SSH, use the following command:

echo 'paste-public-ssh-key-here' >> ~/.ssh/authorized_keys

Replace paste-your-public-ssh-key-here with the actual SSH public key.

Warning: The >> symbol is used to append content to a file. The > symbol overwrites the file contents. Always double-check that you are using the correct symbol to avoid overwriting important data.

If you are accessing the server via console, open the authorized_keys file using a text editor, like nano:

nano ~/.ssh/authorized_keys 

Paste the public key at the bottom of the file and save the changes.

Using cat and SSH Together

Instead of logging into the remote server, users can execute the cat command via SSH from a local machine and append the public key directly into the authorized_keys file:

cat ~/.ssh/id_rsa.pub | ssh [username]@[remote_host] "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys" 

This method uses cat to read the public key, pipes it over SSH, and appends it to the authorized_keys file on the remote server. It also ensures the .ssh directory exists before trying to append the key.

Note: If you manage multiple servers or need to distribute keys to many machines, configuration management tools like Ansible, Puppet, or SaltStack can efficiently handle SSH keys. Each tool offers different modules specifically designed for this purpose.

Log In to the Remote Server

To log in to a remote server, enter the following command on the client system:

ssh [username]@[server-ip] 

If SSH key authentication is set up, the system may not request the user's account password. However, if the SSH key is protected by a passphrase, users are prompted to enter it to unlock the key.

A successful SSH log in attempt.

After a successful login, users gain access to the remote server's command line.

Note: In some instances, SSH may refuse the connection and print the "Connection Refused" error. Fix this problem by referring to How to Fix the SSH "Connection Refused" Error.

Set up Passwordless SSH Login (Optional)

Users can add a layer of security by disabling password authentication. The server then accepts logins only from clients with the matching private key.

To configure passwordless SSH logins in Ubuntu:

1. Open the sshd_config file on the remote server using a preferred text editor. The following command opens the file using nano:

sudo nano /etc/ssh/sshd_config

2. Search the file and locate the following line:

PasswordAuthentication yes

3. Modify the line to disable password-based logins:

PasswordAuthentication no
Editing the SSH server configuration file.

Save changes and exit by pressing Ctrl+X, press Y when prompted to save the changes, and Enter to confirm.

Warning: Before restarting the SSH service, log out and then try to log back in using the SSH key. Confirm that the key-based login works correctly to avoid being locked out of the server.

4. Restart the SSH service:

sudo systemctl restart ssh

After these changes, the server no longer accepts password-based logins.

Conclusion

By following the instructions in this tutorial, you have set up SSH-key-based authentication on an Ubuntu server. The connection is now highly secure, using unique, cryptographic SSH key pairs.

Next, find out what the 19 most common SSH Commands in Linux are.

Was this article helpful?
YesNo
Vladimir Kaplarevic
Vladimir is a resident Tech Writer at phoenixNAP. He has more than 7 years of experience in implementing e-commerce and online payment solutions with various global IT services providers. His articles aim to instill a passion for innovative technologies in others by providing practical advice and using an engaging writing style.
Next you should read
How to Fix "ssh_exchange_identification: read: Connection reset by peer" Error
January 19, 2024

This article deals with the most common causes and offers expert solutions for the "ssh_exchange_identification: read: Connection reset by peer" error.
Read more
How to SSH into a Docker Container
December 19, 2023

This article shows how to SSH into a running Docker container. Docker's exec, attach, and run commands are the preferred methods to connect to a running container, but traditional SSH is also an option.
Read more
SFTP vs. SSH: Do They Differ
November 3, 2023

SSH and SFTP communication and file transfer mechanisms are often used together. However, they are not the same. This text explains the differences between SFTP and SSH.
Read more
How to Change the SSH Port
February 13, 2023

This tutorial shows the steps required for changing the default SSH port into a different one. A different port adds an extra layer of protection to the connection.
Read more