SSH (secure shell) is a more secure way of accessing remote Linux systems. While working with Linux based systems, one would spend a lot of time on the terminal. SSH give a more secure way of executing commands on remote Linux systems from the terminal as compared to using user-password authentication since it is encrypted and therefore is highly recommended for all users.
How do ssh keys work?
An ssh session is a client-server model, whereby the remote computer runs a service called ssh while local also runs ssh client. SSH listens on default port 22 and has to be enabled on the remote server. The default port can, however, be changed to enhance security. Once an ssh connection is established, the commands typed on the local computer are sent and executed on the remote computer over an encrypted SSH tunnel.
How SSH authenticate users
Most people generally use user-password authentication to access remote servers but it is not recommended as it is less secure. Hackers are always on the hunt to crack passwords and get access to people’s systems. With SSH keys, it makes it more difficult for a hacker to decrypt SSH keys. In order to access a server with ssh keys, one must generate the encrypted key combination and copy the public key to the remote computer.
This is copied in the list of authorized keys in ~/.ssh/authorized-keys. Note that the public key can be shared freely but the private key must be kept secured and never to be exposed to anyone. In this guide, we will be looking at how to set up ssh keys on Linux Mint 20.
Generate SSH keys
The first thing to do to authenticate to a remote computer is to generate ssh key pair on your local computer. Open the terminal and run the command below:
Once you press Enter the system will begin to generate ssh key pair. By default, ssh-keygen will generate a 2048-bit RSA key pair which is secure enough but you can always pass a flag -b 4096 to generate a 4096-bit key. You will be prompted to enter a file to save the key.
generating public/private rsa key pair. Enter a file in which to save the key (your_home/.ssh/id_rsa):
Press Enter to save in the default location with the default key names. If you had previously generated a key pair, you might see the below prompt:
/home/your-home/.ssh/id_rsa already exists. Overwrite (y/n)? y
If you choose to overwrite, you will lose the previous key and you will not be able to authenticate with it. If you want to keep the previous key, you can specify a different name for the new key.
Next, you will be prompted to enter a passphrase.
Enter passphrase (empty for no passphrase):
Here, you will optionally choose to use a passphrase but it is recommended as it adds another layer of security to your ssh key authentication. Ensure to keep to passphrase secure and always remember it. Type your passphrase and press Enter. You will be prompted to enter the passphrase again. Type the passphrase again and press Enter.
Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/lorna/.ssh/id_rsa. Your public key has been saved in /home/lorna/.ssh/id_rsa.pub. The key fingerprint is: SHA256:l7jO9w52yi3tDRmAA/yJExIoYyfS5B+uE54hENf/I/8 [email protected] The key's randomart image is: +---[RSA 3072]----+ |.ooo.o. | |+*o.o o. . | |+o+ .o +o.. | |. o .+ oo o | |. o o oS o . | | o = . oo o | | = o..o.+ | | . o.oo=.o | | ooE== . | +----[SHA256]-----+
You have successfully generated your ssh key pair. You can view your keys by changing to the directory where the key pair is saved and listing its content.
cd /home/your-home/.ssh/ ls
id_rsa id_rsa.pub known_hosts
Copy public key to the remote server with ssh-copy-id
Linux provides a utility called ssh-copy-id that makes it quite simple and fast to copy the public key to the remote computer’s list of authorized keys. Run the command as shown below:
$ ssh-copy-id [email protected]
Once you press Enter, you will be prompted to enter remote server password. Upon entering the password and pressing enter, your public key will be copied to your remote server. You will see an output as below.
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/root/.ssh/id_rsa.pub" /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys [email protected]'s password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh '[email protected]'" and check to make sure that only the key(s) you wanted were added.
Copy public key to the remote server without using ssh-copy-id
You can also use the command below to copy your public key to the remote server authorized keys without necessarily using ssh-copy-id utility.
$ cat ~/.ssh/id_rsa.pub | ssh [email protected]st-IP "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
You will be prompted for the remote computer access password which upon entering and pressing Enter, your public key will be copied.
Copy and paste the public key to the remote server
You can also manually copy the public key, access the remote server with username and password authentication and paste to the authorized keys file in the remote computer.
On your local machine, display the content of your public key using cat command.
$ cat ~/.ssh/id_rsa.pub
Copy the content. On your remote server create a directory ~/.ssh/authorized_keys
mkdir ~/.ssh/authorized_keys vim ~/.ssh/authorized_keys
Paste the content of the public key and save the file.
At this time, you have successfully copied your public key to the remote computer. Test connection as below:
$ ssh [email protected]
Enter passphrase for key '/lorna/.ssh/id_rsa': Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-42-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Sat 25 Jul 2020 07:59:22 AM EAT System load: 0.0 Processes: 130 Usage of /: 43.7% of 18.57GB Users logged in: 0 Memory usage: 17% IPv4 address for eth0: 22.214.171.124 Swap usage: 0% * "If you've been waiting for the perfect Kubernetes dev solution for macOS, the wait is over. Learn how to install Microk8s on macOS." https://www.techrepublic.com/article/how-to-install-microk8s-on-macos/ 15 updates can be installed immediately. 0 of these updates are security updates. To see these additional updates run: apt list --upgradable Last login: Sat Jul 25 07:31:57 2020 from 333.333.114.47
Adding ssh keys to ssh agent: ssh-agent and ssh-add commands
What is ssh-agent? Ssh-agent is used for managing ssh keys. For example, if you have a passphrase and you do not want to type it every time you use SSH keys, then you can add you key to ssh agent.
First start ssh-agent in the background by running the below command:
$ eval “$(ssh-agent -s)”
Agent pid 24344
Now add your private key to ssh-agent
$ ssh-add ~/.ssh/id_rsa
You will be prompted to enter your passphrase. The next time to access the remote server, ssh-agent will remember your key and passphrase and you will not be prompted for anything.
How to copy files over SSH with scp
Once you have a working ssh session between a local computer and a remote computer, you can transfer files between the two by using scp command.
Copy files from local to remote over ssh
On your local machine, run the following command to copy files from your local machine to your remote computer
scp <path-to-local-file> [email protected]:<path-on-remote>
Since you already have the public key in the remote computer, the file should copy without a problem.
Copy files from remote to local over ssh
On your local computer, run the below command to copy from remote computer to your local computer.
scp [email protected]:<file-to-send> <file-to-put-on-local>
If it is a folder you are copying add a -r as shown
scp -r [email protected]:<file-to-send> <file-to-put-on-local>
Install openssh-server on Linux Mint 20
To be able to use SSH for remote connection, the remote server must have ssh service running while local computer runs ssh client. To enable ssh on the remote server, install openssh-server if ssh service does not already exist. To install openssh-server on Linux Mint 20, run the below commands:
sudo apt-get update sudo apt-get install openssh-server
SSH service should automatically start once install. Check status using the below command:
sudo systemctl status ssh
Enable ssh to always start on system boot
sudo systemctl enable ssh
Now allow ssh service through the firewall.
sudo ufw allow ssh sudo ufw enable
Change SSH default port
SSH service listens on default port 22. For security purposes, it is recommended to change it. Open ssh configuration file and make the changes as shown:
$ sudo vim /etc/ssh/sshd_config
Look out for the line port=22 and put a different port number of your choice. For example, I am changing mine to 2022
Save the file and restart ssh service
sudo systemctl restart ssh
Open the new port on the firewall.
sudo ufw allow 2022/tcp
To access the remote server, you will need to specify the port number on your command as shown:
ssh [email protected] -p 2022
This has been a step by step guide on how to use SSH keys authentication on Linux Mint. Enjoy!
Linux Learning courses: