If you run servers you must access always to them with a secure login, it means use an encrypted key instead of traditional password access. In this article we’ll focus in how to generate a new key, install it in a server and use it.
All the server examples here are running Linux.
Components Explanation
On ssh keys we have mainly 2 components:
Private key: than only have the “connecting machine”, like your fingerprint to access to your phone.
Public key: installed on the servers that you want to connect, it’s something like, this server allows to use key-X to access.
We can see this example:
Here we have 2 machines used to work and access to the servers and a couple servers. Imagine that Maria is the boss of Joe. Here you can see that the server where Joe works had 2 public keys installed (Joe and Maria), then she can access to both servers while Joe can only access to Server1
How it works?
The machine that wants to access make a request, for example an ssh attempt to connect to username@serverip, the server will look into the folder userhome/.ssh/authorized_keys to see if the key that is trying to use is allowed to connect to this user in the system. If it is allowed then the host will prompt for the passphrase to decrypt and send the confirmation to the server. Then the server will compare the string with his own public key to see if they matches and you can enter.
If you use Mac or Linux host you can jump here
New pair of keys on Windows host
If you are connecting to your server from a windows machine, I recommend you to use MobaXterm ssh client as it is very more powerful than PuTTY.
We’ll learn here how to create a new private key with his own public key, both files.
Open you MobaXterm App and follow the next steps:
New pair of keys on Mac or Linux host
On this kind of host it is really faster, just open a terminal and use the command
ssh-keygen -t rsa -b 4096
It will prompt you for a passphrase, make your you choose a hard one.
It will create you two files on your home/.ssh/ folder named id_rsa and id_rsa.pub
Be careful if you execute again the command it can overwrite the first ones. Alternativale you can determine the name of the file with this other option:
ssh-keygen -t rsa -b 4096 -f yourfilename
Install the public key in the server
There are plenty ways to do it, we will share here just one of them.
a) Get long public key
You need to copy in your clipboard all the public key, if you used MobaXTerm in windows maybe you save it in a notepad. If not just open the id_rsa.pub file with an editor.
With linux & mac on terminal you can do:
cat ~/.ssh/id_rsa.pub
Or maybe your custom file name. You will see in your terminal your public key, just select it with the mouse and copy to your clipboard.
You must copy something like: “ssh-rsa AAAAB3NzaC……gZd8Qac=”
b) Connect to your server
At this moment you need to connect to your server, with ssh using your current password, remember that you don’t have installed yet the key in the server.
c) Paste your public key
When you are in the terminal of your server you must do:
nano ~/.ssh/authorized_keys
Paste inside your public key and Ctrl+X and Ctrl+S, to exit from nano and save the file.
Final Considerations
We prefer to use a piece of paper to save our passphrases, but remember always to have a good backup of it in another paper, you can put it with some important paper docs like your passport to don’t lose it.
Don’t copy the private key file all around in a dozen of machine, since the point you don’t remember where do you have it.
If you are using a public WiFi point like a Starbucks or so, always use an VPN service before you type your passphrase, otherwise someone can get it.