Howto: Generate SSH Keys on your local computer and use with the Server

This entry is part 3 of 8 in the series Network Admin in SSH

Earlier, we have talked about using cPanel username password and cPanel generated keys to login to your webserver through SSH. Now, those procedures are easy, but not “effective” for proper SSHing. The very key concept of SSH key pair login authentication is that, you should be the creator of the public/private key pair and you should add the public key to as many servers you want and authenticate yourself using the pass-phrase you used during the key creation. Till now, we have either used cPanel username/password and/or cPanel generated keys. So, in this tutorial, we shall see:

  • How we can create the key pair using our own computer.
  • Make the private key secure by changing its permission.
  • Upload the public key to the server.
  • Change the server authentication in order to add our public key to the authorized key list.
  • Login to the server using our own generated keys.

The advantage of this is, obviously, if you have, say 3 servers, then you will not need to manage 3 different keys. Instead, you will generate only one pair of keys (or better say, pair of key sfor each of your machines, or even a single pair for all your local machines) and will that to login to as many servers as you wish. So, let us see, how we are supposed to do this.

#1: Linux/Open SSH first:

For the whole thing to work, we have used Linux and preinstalled Open SSH. If you are using any modern distro then you already have all the tools required. First check it by executing the command:

man ssh

If a manual page pops up, then it means you already have it. Otherwise you can install open ssh by

sudo apt-get install openssh-client

Or similar command. Alternately, you can check OpenSSH project page.

#2: Types of SSH keys – DSA vs RSA:

Previously, for the sake of simplicity and cPanel defaults, we have used DSA keys. While there are many controversies (which are supposedly true), I prefer using RSA keys, mainly for two reasons, and I recommend you to stick to it as well.

  • Both RSA and DSA with same key length, are almost equally tough to crack.
  • With RSA we have default 2048 bit key, extensible upto 4096 bits, whereas with DSA it is exactly 1024.

So, as a matter of fact, we can rest in a little bit of more peace with an encrypted RSA key. So, from now on, we shall generate/copy/use only RSA keys. If you have something to say about this, then please post your thought in the comments. I am willing to hear. FYI, do not confuse rsa1 with rsa. rsa1 is for SSH protocol 1 which is obsolete. We will be using RSA key for SSH protocol 2.

#3: Creating your Keys using ssh-keygen:

Now to create the key in your local computer, simply type this command in the terminal:

ssh-keygen -t rsa

This will automatically create the keys with the name ~/.ssh/id_rsa and ~/.ssh/ for private and public respectively (the ~ means your home directory). During the creation process, it will prompt you for the pass-phrase. This pass-phrase is different from your remote server password  and you should use a pass-phrase to protect your private key. If you put an empty string in the pass-phrase (ie, press enter when it prompts for the pass-phrase), then anyone having your private key, can login to your server. Personally, I always use a nice pass-phrase with a combination of uppercase, lowercase and special characters. The output of the command will be something like this:

Generating public/private rsa key pair.
Enter file in which to save the key (/home/swashata/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/swashata/.ssh/id_rsa.
Your public key has been saved in /home/swashata/.ssh/
The key fingerprint is:
The key's randomart image is:

All these means you are ready to use your keys to login to your server.

Now, if you do a

ls -l .ssh

from your home directory then you can see

-rw------- 1 swashata swashata 1766 Jul 16 21:53 id_rsa
-rw-r--r-- 1 swashata swashata  403 Jul 16 21:53

Which means, all the necessary file permissions have already taken care of. (Unlike before where you need to download the private key and chmod it to 600)

#4: Authenticating the public key to your remote server:

Now, we need to authenticate the public key in our remote server. To do so, we shall use scp command to first copy the public key to our server.

scp -P <port_number> ~/.ssh/

Which means that the file from the local machine will be copied to the user directory of the remote machine. Now, if the port number is 22, user is swashata and domain is, then I would run this command:

scp -P 22 ~/.ssh/

This will prompt you for the username and password which should be same as cPanel (if you are using managed VPS or shared server) or the one given to you by the hosting company. It should return an output similar to this:    100%    403    0.4KB/s    00:00

Which means the file has been successfully copied. Also note the capital -P in command. Unlike small -p in scp, we need to use the capital.

Now we need to add it to the authorized_keys list and delete the original file from the server. To do that, we will login using the conventional username/password way and will execute the following command:

ssh -p 22
cat >> ~/.ssh/authorized_keys

Now, we logout using the logout command.

#5: SSH Login using the keys:

At this stage, everything is setup and from now on, when you login to the server, it will not ask you for the password, but will ask you the pass-phrase. To login, simply type the same command:

ssh -p 22

and note the output:

Enter passphrase for key '/home/swashata/.ssh/id_rsa':
Last login: Mon Jul 16 10:42:48 2012 from [~]#

For the passphrase prompt, simply enter your secret phrase and you will be logged in.

#6: Conclusion:

So, finally we have successfully created our own RSA key and used it with our server. You can upload the key to as many servers you like and have the private key only at your local computer(s) to authenticate them on the server. Note that, for each of the servers you will need to add the public key to the authorized_keys file using the append operator (>>).

That was all about the nutshell of SSH using ssh keys. If you are having any trouble or want ask something, do so from the comments.

External Resources: