Ssh Public Key File

Posted : admin On 1/29/2022
Did you know you can passwordless SSH? Here's how, and how to decide whether you should.
  1. Ssh Key File Format
  2. Ssh Public Key File Location

If you interact regularly with SSH commands and remote hosts, you may find that using a key pair instead of passwords can be convenient. Instead of the remote system prompting for a password with each connection, authentication can be automatically negotiated using a public and private key pair.

The private key remains secure on your own workstation, and the public key gets placed in a specific location on each remote system that you access. Your private key may be secured locally with a passphrase. A local caching program such as ssh-agent or gnome-keyring allows you to enter that passphrase periodically, instead of each time you use the key to access a remote system.

[ Free download: Advanced Linux commands cheat sheet. ]

Generating a key pair and propagating the public key

  • Installing SFTP/SSH Server on Windows using OpenSSH Recently, Microsoft has released a port of OpenSSH for Windows. You can use the package to set up an.
  • You will then probably want to copy the public key file to your SSH server machine. See section 8.3 for general instructions on configuring public-key.
  • SSH error: Authentication by identify file failed with error code -16 Unable to extract public key from private key file: Wrong passphrase or invalid.

The user is the username you set when adding the SSH public key to. A bit of digging lead me to the “start-ssh-agent.cmd” batch file that’s installed. If you use the Azure CLI to create your VM with the az vm create command, you can optionally generate SSH public and private key files using the -generate-ssh-keys option. The key files are stored in the /.ssh directory unless specified otherwise with the -ssh-dest-key-path option. If an ssh key pair already exists and the -generate-ssh-keys option is used, a new key pair will not be generated but instead the existing.

Generating your key pair and propagating your public key is simpler than it sounds. Let’s walk through it.

Generating the key

The minimum effort to generate a key pair involves running the ssh-keygen command, and choosing the defaults at all the prompts:

The default location to store the keys is in the ~/.ssh directory, which will be created if it does not exist:

Allowing this command to create the directory also ensures that the owner and permissions are set correctly. Some applications will not use keys if the permissions to the private key are too open.

The file ending in .pub is the public key that needs to be transferred to the remote systems. It is a file containing a single line: The protocol, the key, and an email used as an identifier. Options for the ssh-keygen command allow you to specify a different identifier:

After generating the key pair, the ssh-keygen command also displays the fingerprint and randomart image that are unique to this key. This information can be shared with other people who may need to verify your public key.

Later you can view these with:

The -l option lists the fingerprint, and the -v option adds the ASCII art.

Propagating the public key to a remote system

If password authentication is currently enabled, then the easiest way to transfer the public key to the remote host is with the ssh-copy-id command. If you used the default name for the key all you need to specify is the remote user and host:

Following the instructions from the output, verify that you can connect using the key pair. If you implemented a passphrase, you will be prompted for the passphrase to use the private key:

Examine the resulting authorized key file. This is where the public key was appended. If the directory or file did not exist, then it was (or they were) created with the correct ownership and permissions. Each line is a single authorized public key:

To revoke access for this key pair, remove the line for the public key.

There are many other options that can be added to this line in the authorized key file to control access. These options are usually used by administrators placing the public keys on a system with restrictions. These restrictions may include where the connection may originate, what command(s) may be run, and even a date indicating when to stop accepting this key. These and more options are listed in the sshd man page.

Changing the passphrase

If you need to change a passphrase on your private key or if you initially set an empty passphrase and want that protection at a later time, use the ssh-keygen command with the -p option:

You can add additional options to specify the key (-f), and the old (-P) or new (-N) passphrases on the command line. Remember that any passwords specified on the command line will be saved in your shell history.

See the ssh-keygen man page for additional options.

Rotating keys

While the public key by itself is meant to be shared, keep in mind that if someone obtains your private key, they can then use that to access all systems that have the public key. These key pairs also do not have a period of validity like GNU Privacy Guard (GPG) keys or public key infrastructure (PKI) certificates.

If you have any reason to suspect that a private key has been stolen or otherwise compromised, you should replace that key pair. The old public key has to be removed from all systems, a new key has to be generated with ssh-keygen, and the new public key has to be transferred to the desired remote systems.

If you are rotating keys as a precaution and without any concern of compromise, you can use the old key pair to authenticate the transfer of the new public key before removing the old key.

Is using empty passphrases ever a good idea?

There are several things to think about when considering an empty passphrase for your SSH private key.

How secure is the private key file?

If you tend to work from multiple client systems and want to either have multiple copies of your key or keep a copy on removable media, then it really is a good idea to have a passphrase on the private key. This practice is in addition to protecting access to the key file with encrypted media.

However, if you have only one copy of the private key and it is kept on a system that is well secured and not shared, then having a passphrase is simply one more level of protection just in case.

Remember that changing the passphrase on one copy does not change the passphrase on other copies. The passphrase is simply locking access to a specific key file.

Why do think you need an empty passphrase?

There are cases for keys with empty passphrases. Some utilities that need to automatically transfer files between systems need a passwordless method to authenticate. The kdump utility, when configured to dump the kernel to a remote system using SSH, is one example.

Another common use is to generate a key pair for a script that is designed to run unattended, such as from a cron job.

How about a middle ground alternative?

By itself, a passphrase-protected private key requires the passphrase to be entered each time the key is used. This setup does not feel like passwordless SSH. However, there are caching mechanisms that allow you to enter the key passphrase once and then use the key over and over without reentering that passphrase.

More Linux resources

OpenSSH comes with an ssh-agent daemon and an ssh-add utility to cache the unlocked private key. The GNOME desktop also has a keyring daemon that stores passwords and secrets but also implements an SSH agent.

The lifetime of the cached key can be configured with each of the agents or when the key is added. In many cases, it defaults to an unlimited lifetime, but the cache is cleared when the user logs out of the system. You will be prompted for the passphrase only once per login session.

If there is a scheduled application that needs to run outside of a user login session, it may be possible to use a secret or other password manager to automate the unlocking of the key. For example, Ansible Tower stores credentials in a secure database. This database includes an SSH private key used to connect to the remote systems (managed nodes), and any passphrases necessary for those private keys. Once those credentials are stored, a job can be scheduled to run a playbook on a regular schedule.

Automating propagation

A centralized identity manager such as FreeIPA can assist with key propagation. Upload the public key to the server as an attribute of a user account, and then propagate it to the hosts in the domain as needed. FreeIPA can also provide additional host-based access control for where a key may be used.

Keys can also be distributed using Ansible modules. The openssh_keypair module uses ssh-keygen to generate keys and the authorized_key module adds and removes SSH authorized keys for particular user accounts.

Wrapping up

SSH key pairs are only one way to automate authentication without passwords. Using the Generic Security Services Application Program Interface (GSSAPI) authentication is also common when trying to reduce the use of passwords on a network with centralized user management. SSH key pairs are the easier option to implement when single sign-on (SSO) is not already available.

Many source code repositories grant access using SSH keys. You can upload a public key to an account in the hosting organization such as the Fedora Account System, GitLab, or GitHub sites and use that key pair to authenticate when pulling and pushing content to repositories.

Free Event: Red Hat Summit 2021 Virtual Experience

Join Red Hat Summit Virtual Experience for live demos, keynotes, and technical
sessions from experts around the globe—happening April 27–28 and June 15–16.

Related Content

Need Hosting? Try ours, it's fast, reliable and feature loaded with support you can depend on.

Ssh Key File Format

To manage a Linux server remotely, the SSH protocol is used. This connects you to the terminal of your linux server. Most of the time your VPS or Dedicated server will come with a password login. Although the SSH protocol is considered secured as the traffic is always encrypted, it is still vulnerable to brute force attacks. To prevent this you can either use services like Fail2Ban or you can use Key Based Authentication.

Key based authentication works with a pair of public and private keys. The public key is stored in ~/.ssh/authorized_keys on the server and private key is possessed by the user. For authentication purposes, the server encrypts a random phrase with the public key available on server. The encrypted cipher is then sent to user's computer. The user's SSH agent decrypts the message using the private key and sends the phrase back to the server. The server then checks if the description was successful or not. If yes then the user is given access to the terminal. This method of authentication is considered very secure as the private key is not shared on network making it very secure hence it is virtually impossible to brute force SSH server. The private key should not be shared anywhere as a person having the private key will have full access to the server.

In this tutorial we will learn how to enable key based authentication on a Linux server. With the help of this guide you will be able to enable key based authentication on multiple Linux flavors as the process is same for all major Linux operating systems. It is important to generate the key pair on the client machine. We will learn to generate key pair on both windows and linux operating systems. We will copy the public key to the remote linux server and will make all the necessary SSH configurations. Finally we will learn how to login to the remote server using the private key.

Requirements

To follow this tutorial you will need a client machine which should have a Windows or Linux operating system. You will also need a remote Linux server with root or sudo access on it. The server must also have password authentication enabled. If you are logged in as a non root user, you may run sudo -i to switch to root user or you may use sudo command before all the commands.

Generating Key Pairs in Linux

If you are on a Linux client machine you will need to install openssh-client onto your machine. Run the following command to install OpenSSH Client. You can also use non root account on client machine to run the commands.

For CentOS/RHEL and Fedora

For Ubuntu/Debian

Once OpenSSH client is installed, you can generate the key pairs using the following command.

You will be prompted to enter a passphrase to protect your private key. It is recommended that you should enter a passphrase, so that even any person has your private key, he won't be able to login without passphrase. You can also leave it blank so that there will be no passphrase for your private key. You will see output similar to shown below.

The above command will generate the key pair and it will save them into .ssh directory under the home directory of the current user. The private key will be saved in id_rsa file and public key will be saved in id_rsa.pub file. Now you will need to copy the generated public key ~/.ssh/id_rsa.pub to the remote Linux server as ~/.ssh/authorised_keys.

Copying the Public Key to Remote Server

There are few methods by which you can copy the public key into the ~/.ssh/authorised_keys file of remote server.

Using ssh-copy-id command

This is the easiest method to copy the public key into remote server. Due to it's simplicity, this method is recommended if available. ssh-copy-id comes with OpenSSH package in most distributions. You can use the command as shown below.

In above command replace root with your username, it may be root also. Replace server-IP-addr with the IP address or hostname of your server.

Once you run the above command it will show you that authenticity of host is not verified, it will ask you if you want to continue. Write yes and press Enter key to continue. Now it will ask you for the password of remote server, enter the password. Now the ssh-copy-id will automatically scan id_rsa.pub file and it will add the public key to remote server. You will see output similar as shown below.

Copying Your Public Key Using SSH

If you do not have ssh-copy-id command available, you can also use the normal SSH command to copy the public key into ~/.ssh/authorised_keys file. Run the following command for same.

The above command uses piping, the output of first command is sent as an input to second command. The first command outputs the content of ~/.ssh/id_rsa.pub, then it will SSH into your server with the username provided. Once logged in it will create ~/.ssh directory, if not already exist. Finally it will write the output of the first command, which is the content of the public key file into ~/.ssh/authorized_keys file.

You will see following output a similar output as shown below.

Manually Copying the Public Key

If none of the above methods work for you, you can also manually copy the public key into ~/.ssh/authorized_keys. You will need to simply copy the file contents from ~/.ssh/id_rsa.pub file of client machine to ~/.ssh/authorized_keys file of remote machine.

Dispay the contents of the file id_rsa.pub using the following command.

Now login to your remote Linux machine and create ~/.ssh directory using the following command. If the directory is already created it will not make any changes.

Now use your favorite editor to create or edit ~/.ssh/authorized_keys file. In this tutorial we will be using nano editor. If you don't have nano installed, you can install it using sudo yum -y install nano command for CentOS/RHEL/Fedora. Run sudo apt-get install nano for Ubuntu/Debian based systems.

To edit or create the ~/.ssh/authorized_keys file using nano editor run the following command.

Once the editor is opened, paste the public key into the file and save and close it.

Apart from the methods stated above you can also use SCP to transfer the public key into the remote server.

Configuring SSH to use Key Based Authentication

Login to your remote Linux server using password or key. You can simply run the following command to login to the remote SSH server.

You will see that you are automatically logged in to the server, if you have passphrase with your id_rsa file or the private key, then you will need to provide the passphrase also. The SSH client will automatically use the key based mechanism to login and as our key has the default name and location, hence it will automatically log you in using the private key.

It is a best practice to update the linux server before making any changes. To update CentOS/Fedora/RHEL run yum -y update, for Debian/Ubuntu run apt-get -y upgrade.

Key

But still you will be able to login to your server using the passwords. To disable password based authentication you will need to edit the default SSH configuration file /etc/ssh/sshd_config. Run the following command to edit the file using nano editor. You can any editor you prefer.

Scroll down the find the following lines.

Now change the parameter of PasswordAuthentication from yes to no. Now save the file and exit from editor.

You will need to restart SSH server for changes to take place. Run the following command for the same.

For CentOS/RHEL/Fedora

For Debian or Ubuntu

Now your server can also be logged in using the private key id_rsa only.

It is recommended that you change the permission of the ~/.ssh directory on client computer so that no body else have access to the private key. Run the following command to change the permissions of the ~/.ssh directory.

As ~/.ssh/id_rsa file can be overwritten anytime when we generate another key pair, it is recommended to take a backup of the private key. You can do the same using the following command.

In above command you can change the directory and file name according to your choice.

You can login to your SSH server using the new key with the following command.

In the above command you can replace the path of the login key according to path and filename you chose.

Ssh Public Key File Location

Using a Windows Client Machine

If you are a windows user and want to enable Key based authentication, you can follow this guide. Most of the windows user use PuTTY client to login to remote server. PuTTY supports both password and key based authentication.

Generating a Key Pair in Windows Client

To generate a key pair in windows client, you have many different options. In this tutorial we will be using an open source GUI based RSA and DSA key generator, puttygen. You can download PuTTYgen from here.

Once you open PuTTYgen, you will see the following interface.

HP_NO_IMG/data/uploads/users/d478cb71-8070-4c45-b3bc-4879923e4c03/527379856.png' alt=' />

Click on Generate button to start generating a new key pair. After clicking Generate button, you will need to move your mouse cursor over the blank area to generate some randomness in the key.

HP_NO_IMG/data/uploads/users/d478cb71-8070-4c45-b3bc-4879923e4c03/243663888.png' alt=' />

After a key is generated, you will see following interface, it will display the public key on screen. To save the public key in a file click on Save public key button. Provide a filename for the public key and save it. An extension for the public key file is not necessary but you can choose to give .txt extension.

HP_NO_IMG/data/uploads/users/d478cb71-8070-4c45-b3bc-4879923e4c03/1574328449.png' alt=' />

To save the private key click on Save private key button. You can specify a passphrase for private key on Key passphrase field. If you choose not to provide a passphrase, then it will warn you while saying that are you sure to save the key without a passphrase, choose yes to proceed further. Now provide a filename for your private key and save it with .ppk extension as PuTTY uses .ppk extension with private key. Once both the keys are saved, you can exit PuTTYgen.

Copying the Public Key to Remote Server

To copy the public key into the remote server, you can simply manually copy the key to remote server or, you can also use WinSCP to transfer the public key to remote server.

Using WinSCP to Copy the Public Key

WinSCP is an open source secure file transfer client for windows which supports SFTP, SCP and FTP. You can download WinSCP from here, it comes in both installer and portable package.

Once you download WinSCP, open it and you will see a prompt to provide hostname and login credentials. As SCP and SFTP both runs on port 22, you can choose either of the protocol. Provide the hostname and username and password of the remote server and click Login button.

HP_NO_IMG/data/uploads/users/d478cb71-8070-4c45-b3bc-4879923e4c03/734496949.png' alt=' />

Once you are successfully logged in you will be taken to the home directory of the user, if you are logged in as root, then you will be taken to /root.

HP_NO_IMG/data/uploads/users/d478cb71-8070-4c45-b3bc-4879923e4c03/773396284.png' alt=' />

Now create a new directory in the same directory by clicking the small new directory icon available on the control bar.

HP_NO_IMG/data/uploads/users/d478cb71-8070-4c45-b3bc-4879923e4c03/503648353.png' alt=' />

Provide the name .ssh and save it. If you already have .ssh folder, no need to create it again. Double click on .ssh directory to switch into it and, drag and drop the private key file into the .ssh directory. Finally rename the file to authorized_keys.

HP_NO_IMG/data/uploads/users/d478cb71-8070-4c45-b3bc-4879923e4c03/199567586.png' alt=' />

Manually Copying the Public Key

Simply open the public key file in notepad and copy the whole content. Now login to your remote Linux machine via PuTTY using the username and password. It is a best practice to update the linux server before making any changes. To update CentOS/Fedora/RHEL run yum -y update, for Debian/Ubuntu run apt-get -y upgrade.

Now create ~/.ssh directory using the following command. If the directory is already created it will not make any changes.

Format

Now use your favorite editor to create or edit ~/.ssh/authorized_keys file. To edit or create the ~/.ssh/authorized_keys file using nano editor run the following command.

Once the editor is opened, paste the public key into the file by a single right click and save and close it.

Now as we have our public key into the place we can now configure SSH to disable password authentication.

Configuring SSH to Use Key Based Authentication

Login to your remote Linux server using password through PuTTY. Once you are logged in you can disable password based authentication by editing the default SSH configuration file /etc/ssh/sshd_config. Run the following command to edit the file using nano editor. You can any editor you prefer.

Scroll down the find the following lines.

Now change the parameter of PasswordAuthentication from yes to no. Now save the file and exit from editor.

You will need to restart SSH server for changes to take place. Run the following command for the same.

For CentOS/RHEL/Fedora

For Debian or Ubuntu

You can also verify the the public key is copied to server using the following command.

It should display you the public key that you have copied. You can now exit from PuTTY.

Logging into Remote Server using Private Key

To login using the Private key through putty, open PuTTY client and provide the hostname or server IP address. Select SSH for connection type.

HP_NO_IMG/data/uploads/users/d478cb71-8070-4c45-b3bc-4879923e4c03/289707368.png' alt=' />

Now Go to Connection >> SSH >> Auth from left pane and, in Private key for authentication, browse the private key which we have saved.

HP_NO_IMG/data/uploads/users/d478cb71-8070-4c45-b3bc-4879923e4c03/1745449660.png' alt=' />

Click Open and it will automatically start the terminal and log you in.

HP_NO_IMG/data/uploads/users/d478cb71-8070-4c45-b3bc-4879923e4c03/1626766641.png' alt=' />

Conclusion

In this detailed tutorial we have learnt about the key based authentication. We learnt to enable key based authentication on multiple Linux platforms. We have learnt to configure SSH for key based authentication for both Linux and Windows users. You can now implement key based authentication for hardening the security of your server.

Need Hosting? Try ours, it's fast, reliable and feature loaded with support you can depend on.