How to Setup SSH Keys
Why would you want to use SSH Keys?
SSH keys are a more secure way of connecting to your server than by simple password authentication and all but stops a terminal brute force password attack on your server. Once you’ve setup a SSH key pair they can be used on more than one server or VPS which also saves a whole load of time when logging in to multiple different servers. To add an additional layer of protection you can also password protect your SSH key.
Creating your SSH Key Pair
I tend to use PuTTY as my SSH terminal so the following details instruct on how to create and setup a SSH key with Putty. To do this we’ll first need to download PuTTYgen a companion programme that works with Putty to generate the SSH keys.
To generate a set of RSA keys with PuTTYgen
- Start the PuTTYgen utility, by double-clicking on its .exe file;
- For Type of key to generate, select SSH-2 RSA;
- In the Number of bits in a generated key field, specify either 2048 or 4096 (increasing the bits makes it harder to crack the key by brute-force methods);
- Click the Generate button;
- Move your mouse pointer around in the blank area of the Key section, below the progress bar (to generate some randomness) until the progress bar is full;
- A private/ public key pair has now been generated;
- In the Key comment field, enter any comment you’d like, to help you identify this key pair, later (e.g. your e-mail address; home; office; etc.) — the key comment is particularly useful in the event you end up creating more than one key pair;
- Optional: Type a passphrase in the Key passphrase field & re-type the same passphrase in theConfirm passphrase field (if you would like to use your keys for automated processes, however, you should not create a passphrase);
- Click the Save public key button & choose whatever filename you’d like (some users create a folder in their computer named my_keys);
- Click the Save private key button & choose whatever filename you’d like (you can save it in the same location as the public key, but it should be a location that only you can access and that you will NOT lose! If you lose your keys and have disabled username/password logins, you will no longer be able log in!);
- Right-click in the text field labeled Public key for pasting into OpenSSH authorized_keys file and choose Select All;
- Right-click again in the same text field and choose Copy.
NOTE: PuTTY and OpenSSH use different formats for public SSH keys. If the SSH Key you copied starts with “—- BEGIN SSH2 PUBLIC KEY …”, it is in the wrong format. Be sure to follow the instructions carefully. Your key should start with “ssh-rsa AAAA ….”
Save the Public Key on Your Server
Now, you need to paste the copied public key in the file ~/.ssh/authorized_keys on your server.
1. Log in to your destination server using puTTY
2. If your SSH folder does not yet exist, create it manually:
chmod 0700 ~/.ssh
chmod 0644 ~/.ssh/authorized_keys
3. Paste the SSH public key into your ~/.ssh/authorized_keys file, I’m not a hardened Server Dev, but a Website Developer that needs bespoke server environments so I still prefer to do this with WinSCP or a similar visual interface, but you can do it all from command line if you prefer.
Create a PuTTY Profile to Save Your Server’s Settings
In PuTTY, you can create (and save) profiles for connections to your various SSH servers, so you don’t have to remember, and continually re-type, redundant information.
- Start PuTTY by double-clicking its executable file;
- PuTTY’s initial window is the Session Category (navigate PuTTY’s various categories, along the left-hand side of the window).
- In the Host Name field, enter the IP address of your VPS or its fully qualified domain name (FQDN).
- Enter the port number in the Port field (for added security, consider changing your server’s SSH port to a non-standard port).
- Select SSH under Protocol;
- Along the left-hand side of the window, select the Data sub-category, under Connection;
- Specify the username that you plan on using, when logging in to the SSH server, and whose profile you’re saving, in the Auto-login username field;
- Expand the SSH sub-category, under Connection;
- Highlight the Auth sub-category and click the Browse button, on the right-hand side of the PuTTY window;
- Browse your file system and select your previously-created private key;
- Return to the Session Category and enter a name for this profile in the Saved Sessions field, e.g. email@example.com or firstname.lastname@example.org;
- Click the Save button for the Load, Save or Delete a stored session area.
Now you can go ahead and log in to email@example.com and you will not be prompted for a password. However, if you had set a passphrase on your public key, you will be asked to enter the passphrase at that time (and every time you log in, in the future).
Final Step – Disable Password Login
To finally benefit from the extra security that SSH keys offer you will need to disable password login on your server. Before you do this it is essential you keep your SSH key files in a safe place and take a backup… in another safe place. When password login is disabled you won’t be able to login without these keys.
Once you have verified that your key-based logins are working, you are ready to disable username/password logins. To do this, you need to edit your SSH server’s configuration file. On Debian/ Ubuntu systems, this file is located at /etc/ssh/sshd_config.
using WinSCP navigate to
Edit the file and amend to resemble the following
Reload SSH with the command:
service ssh restart
Your server should now be secured with SSH keys