Generate Ssh Rsa Key Unix

| 08-05-2021
[RAND-1-100] Comments

Updated by LinodeWritten by Linode

Try this guide out by signing up for a Linode account with a $20 credit.
Contribute on GitHub
  1. Private and public RSA keys can be generated on Unix based systems (such as Linux and FreeBSD) to provide greater security when logging into a server using SSH. The ssh-keygen command allows you to generate, manage and convert these authentication keys.
  2. Special Forums UNIX and Linux Applications SSH: Avoiding password prompt with. For this I need to generate the RSA key pair. But I want to do this procedure on.

Report an Issue |View File |Edit File

Unix

Password authentication is the default method most SSH (Secure Shell) clients use to authenticate with remote servers, but it suffers from potential security vulnerabilities, like brute-force login attempts. An alternative to password authentication is public key authentication, in which you generate and store on your computer a pair of cryptographic keys and then configure your server to recognize and accept your keys. Using key-based authentication offers a range of benefits:

Creating an SSH key on Linux & macOS 1. Check for existing SSH keys. You should check for existing SSH keys on your local computer. You can use an existing SSH key with Bitbucket Server if you want, in which case you can go straight to either SSH user keys for personal use or SSH access keys for system use. Open a terminal and run the following. May 17, 2019  The command generates an SSH key pair consisting of a public key and a private key, and saves them in the specified path. The file name of the public key is created automatically by appending.pub to the name of the private key file. For example, if the file name of the SSH private key is idrsa, then the file name of the public key would be pub. Jun 22, 2012  You can generate the SSH Key in a convenient location, such as the computer, and then upload the public key to the SSH key section. Then, when you create a new Droplet, you can choose to include that public key on the server. No root password will be emailed to you and you can log in to your new server from your chosen client.

  • Key-based login is not a major target for brute-force hacking attacks.

  • If a server that uses SSH keys is compromised by a hacker, no authorization credentials are at risk of being exposed.

  • Because a password isn’t required at login, you are able to able to log in to servers from within scripts or automation tools that you need to run unattended. For example, you can set up periodic updates for your servers with a configuration management tool like Ansible, and you can run those updates without having to be physically present.

This guide will explain how the SSH key login scheme works, how to generate an SSH key, and how to use those keys with your Linode.

Note
If you’re unfamiliar with SSH connections, review the Getting Started with Linode guide.

How SSH Keys Work

SSH keys are generated in pairs and stored in plain-text files. The key pair (or keypair) consists of two parts:

  • A private key, usually named id_rsa. The private key is stored on your local computer and should be kept secure, with permissions set so that no other users on your computer can read the file.

    Caution

  • A public key, usually named id_rsa.pub. The public key is placed on the server you intend to log in to. You can freely share your public key with others. If someone else adds your public key to their server, you will be able to log in to that server.

When a site or service asks for your SSH key, they are referring to your SSH public key (id_rsa.pub). For instance, services like GitHub and Gitlab allow you to place your SSH public key on their servers to streamline the process of pushing code changes to remote repositories.

The authorized_keys File

In order for your Linode to recognize and accept your key pair, you will need to upload your public key to your server. More specifically, you will need to upload your public key to the home directory of the user you would like to log in as. If you would like to log in to more than one user on the server using your key pair, you will need to add your public key to each of those users.

To set up SSH key authentication for one of your server’s users, add your public key to a new line inside the user’s authorized_keys file. This file is stored inside a directory named .ssh/ under the user’s home folder. A user’s authorized_keys file can store more than one public key, and each public key is listed on its own line. If your file contains more than one public key, then the owner of each key listed will be able to log in as that user.

Granting Someone Else Access to your Server

To give someone else access to your server’s user, simply add their public key on a new line in your authorized_keys file, just as you would add your own. To revoke access for that person, remove that same line and save the changes.

Challenge-Response

When logging in to a server using SSH, if there is a public key on file on that server, the server will create a challenge. This challenge will be crafted in such a way that only the holder of the private SSH key will be able to decipher it.

This challenge-response action happens without any user interaction. If the person attempting to log in has the corresponding private key, then they will be safely logged in. If not, the login will either fail or fall back to a password-based authentication scheme.

SSH Key Passphrases

You can optionally provide an additional level of security for your SSH keys by encrypting them with a passphrase at the time of creation. When you attempt to log in using an encrypted SSH key, you will be prompted to enter its passphrase. This is not to be confused with a password, as this passphrase only decrypts the key file locally and is not transferred over the Internet as a password might be.

If you’d like to set up your logins so that they require no user input, then creating a passphrase might not be desirable, but it is strongly recommended nevertheless.

Linux and macOS

Generate Ssh Rsa Key Unix Download

Generate a Key Pair

Perform the steps in this section on your local machine.

  1. Create a new key pair.

    Caution

    This command will overwrite an existing RSA key pair, potentially locking you out of other systems.

    If you’ve already created a key pair, skip this step. To check for existing keys, run ls ~/.ssh/id_rsa*.

    If you accidentally lock yourself out of the SSH service on your Linode, you can still use the Lish console to login to your server. After you’ve logged in via Lish, update your authorized_keys file to use your new public key. This should re-establish normal SSH access.

    The -b flag instructs ssh-keygen to increase the number of bits used to generate the key pair, and is suggested for additional security.

  2. Press Enter to use the default names id_rsa and id_rsa.pub in the /home/your_username/.ssh directory before entering your passphrase.

  3. While creating the key pair, you will be given the option to encrypt the private key with a passphrase. This means that the key pair cannot be used without entering the passphrase (unless you save that passphrase to your local machine’s keychain manager). We suggest that you use the key pair with a passphrase, but you can leave this field blank if you don’t want to use one.

Upload your Public Key

There are a few different ways to upload your public key to your Linode from Linux and macOS client systems:

Using ssh-copy-id

ssh-copy-id is a utility available on some operating systems that can copy a SSH public key to a remote server over SSH.

  1. To use ssh-copy-id, pass your username and the IP address of the server you would like to access:

  2. You’ll see output like the following, and a prompt to enter your user’s password:

  3. Verify that you can log in to the server with your key.

Using Secure Copy (scp)

Secure Copy (scp) is a tool that copies files from a local computer to a remote server over SSH:

Caution
These instructions will overwrite any existing contents of the authorized_keys file on your server. If you have already set up other public keys on your server, use the ssh-copy-id command or enter your key manually.

  1. Connect to your server via SSH with the user you would like to add your key to:

  2. Create the ~/.ssh directory and authorized_keys file if they don’t already exist:

  3. Give the ~/.ssh directory and authorized_keys files appropriate file permissions:

  4. In another terminal on your local machine, use scp to copy the contents of your SSH public key (id_rsa.pub) into the authorized_keys file on your server. Substitute in your own username and your server’s IP address:

  5. Verify that you can log in to the server with your key.

Manually Copy an SSH Key

You can also manually add an SSH key to a server:

  1. Begin by copying the contents of your public SSH key on your local computer. You can use the following command to output the contents of the file:

    You should see output similar to the following:

    Note that the public key begins with ssh-rsa and ends with [email protected].

  2. Once you have copied that text, connect to your server via SSH with the user you would like to add your key to:

  3. Create the ~/.ssh directory and authorized_keys file if they don’t already exist:

  4. Give the ~/.ssh directory and authorized_keys files appropriate file permissions:

  5. Open the authorized_keys file with the text editor of your choice (nano, for example). Then, paste the contents of your public key that you copied in step one on a new line at the end of the file.

  6. Save and close the file.

    Note

    If you initially logged into the server as root but edited the authorized_keys file of another user, then the .ssh/ folder and authorized_keys file of that user may be owned by root. Set that other user as the files’ owner:

  7. Verify that you can log in to the server with your key.

Connect to the Remote Server

  1. SSH into the server from your local machine:

  2. If you chose to use a passphrase when creating your SSH key, you will be prompted to enter it when you attempt to log in. Depending on your desktop environment, a window may appear:

    Caution
    Do not allow the local machine to remember the passphrase in its keychain unless you are on a private computer which you trust.

    You may also see the passphrase prompt at your command line:

  3. Enter your password. You should see the connection establish in the local terminal.

Windows

The following instructions use the PuTTY software to connect over SSH, but other options are available on Windows too.

Generate a Key Pair with PuTTY

  1. Download PuTTYgen (puttygen.exe) and PuTTY (putty.exe) from the official site.

  2. Launch puttygen.exe. The RSA key type at the bottom of the window is selected by default for an RSA key pair but ED25519 (EdDSA using Curve25519) is a comparable option if your remote machine’s SSH server supports DSA signatures. Do not use the SSH-1(RSA) key type unless you know what you’re doing.

  3. Increase the RSA key size from 2048 bits 4096 and click Generate:

  4. PuTTY uses the random input from your mouse to generate a unique key. Once key generation begins, keep moving your mouse until the progress bar is filled:

  5. When finished, PuTTY will display the new public key. Right-click on it and select Select All, then copy the public key into a Notepad file.

  6. Save the public key as a .txt file or some other plaintext format. This is important–a rich text format such as .rtf or .doc can add extra formatting characters and then your private key won’t work:

  7. Enter a passphrase for the private key in the Key passphrase and Confirm passphrase text fields. Important: Make a note of your passphrase, you’ll need it later:

  8. Click Save private key. Choose a file name and location in Explorer while keeping the ppk file extension. If you plan to create multiple key pairs for different servers, be sure to give them different names so that you don’t overwrite old keys with new:

Manually Copy the SSH Key with PuTTY

  1. Launch putty.exe. Find the Connection tree in the Category window, expand SSH and select Auth. Click Browse and navigate to the private key you created above:

  2. Scroll back to the top of the Category window and click Session. Enter the hostname or IP address of your Linode. PuTTY’s default TCP port is 22, the IANA assigned port for for SSH traffic. Change it if your server is listening on a different port. Name the session in the Saved Sessions text bar and click Save:

  3. Click the Open button to establish a connection. You will be prompted to enter a login name and password for the remote server.

  4. Once you’re logged in to the remote server, configure it to authenticate with your SSH key pair instead of a user’s password. Create an .ssh directory in your home directory on your Linode, create a blank authorized_keys file inside, and set their access permissions:

  5. Open the authorized_keys file with the text editor of your choice (nano, for example). Then, paste the contents of your public key that you copied in step one on a new line at the end of the file.

  6. Save, close the file, and exit PuTTY.

  7. Verify that you can log in to the server with your key.

Using WinSCP

Uploading a public key from Windows can also be done using WinSCP:

Caution
These instructions will overwrite any existing contents of the authorized_keys file on your server. If you have already set up other public keys on your server, use the PuTTY instructions instead.

  1. In the login window, enter your Linode’s public IP address as the hostname, the user you would like to add your key to, and your user’s password. Click Login to connect.

  2. Once connected, WinSCP will show two file tree sections. The left shows files on your local computer and the right shows files on your Linode. Using the file explorer on the left, navigate to the file where you saved your public key in Windows. Select the public key file and click Upload in the toolbar above.

  3. You’ll be prompted to enter a path on your Linode where you want to upload the file. Upload the file to /home/your_username/.ssh/authorized_keys.

  4. Verify that you can log in to the server with your key.

Connect to the Remote Server with PuTTY

Start PuTTY and Load your saved session. You’ll be prompted to enter your server user’s login name as before. However, this time you will be prompted for your private SSH key’s passphrase rather than the password for your server’s user. Enter the passphrase and press Enter.

Troubleshooting

If your SSH connections are not working as expected, or if you have locked yourself out of your system, review the Troubleshooting SSH guide for troubleshooting help.

Upload your SSH Key to the Cloud Manager

It is possible to provision each new Linode you create with an SSH public key automatically through the Cloud Manager.

  1. Log in to the Cloud Manager.

  2. Click on your username at the top right hand side of the page. Then click on My Profile in the dropdown menu that appears:

    Note
    If you are viewing the Cloud Manager in a smaller browser window or on a smaller device, then the My Profile link will appear in the sidebar links. To view the sidebar links, click on the disclosure button to the left of the blue Create button at the top of the page.

  3. From the My Profile page, select the SSH Keys tab, and then click Add a SSH Key:

  4. Create a label for your key, then paste in the contents of your public SSH key (id_rsa.pub):

  5. Click Add Key.

  6. When you next create a Linode you’ll be given the opportunity to include your SSH key in the Linode’s creation. This key will be added to the root user of the new Linode.

    In the Create Linode form, select the SSH key you’d like to include. This field will appear below the Root Password field:

Next Steps

After you set up your SSH keys and confirm they are working as expected, review the How to Secure Your Server guide for instructions on disabling password authentication for your server.

Join our Community

Generate an ssh key
Please enable JavaScript to view the comments powered by Disqus.comments powered by Disqus

This guide is published under a CC BY-ND 4.0 license.

-->

With a secure shell (SSH) key pair, you can create a Linux virtual machine on Azure that defaults to using SSH keys for authentication, eliminating the need for passwords to sign in. VMs created with the Azure portal, Azure CLI, Resource Manager templates, or other tools can include your SSH public key as part of the deployment, which sets up SSH key authentication for SSH connections.

This article provides detailed background and steps to create and manage an SSH RSA public-private key file pair for SSH client connections. If you want quick commands, see How to create an SSH public-private key pair for Linux VMs in Azure.

For additional ways to generate and use SSH keys on a Windows computer, see How to use SSH keys with Windows on Azure.

Overview of SSH and keys

SSH is an encrypted connection protocol that allows secure sign-ins over unsecured connections. SSH is the default connection protocol for Linux VMs hosted in Azure. Although SSH itself provides an encrypted connection, using passwords with SSH connections still leaves the VM vulnerable to brute-force attacks or guessing of passwords. A more secure and preferred method of connecting to a VM using SSH is by using a public-private key pair, also known as SSH keys.

  • The public key is placed on your Linux VM, or any other service that you wish to use with public-key cryptography.

  • The private key remains on your local system. Protect this private key. Do not share it.

When you use an SSH client to connect to your Linux VM (which has the public key), the remote VM tests the client to make sure it possesses the private key. If the client has the private key, it's granted access to the VM.

Depending on your organization's security policies, you can reuse a single public-private key pair to access multiple Azure VMs and services. You do not need a separate pair of keys for each VM or service you wish to access.

Your public key can be shared with anyone, but only you (or your local security infrastructure) should possess your private key.

Private key passphrase

The SSH private key should have a very secure passphrase to safeguard it. This passphrase is just to access the private SSH key file and is not the user account password. When you add a passphrase to your SSH key, it encrypts the private key using 128-bit AES, so that the private key is useless without the passphrase to decrypt it. If an attacker stole your private key and that key did not have a passphrase, they would be able to use that private key to sign in to any servers that have the corresponding public key. If a private key is protected by a passphrase, it cannot be used by that attacker, providing an additional layer of security for your infrastructure on Azure.

Supported SSH key formats

Azure currently supports SSH protocol 2 (SSH-2) RSA public-private key pairs with a minimum length of 2048 bits. Other key formats such as ED25519 and ECDSA are not supported.

SSH keys use and benefits

When you create an Azure VM by specifying the public key, Azure copies the public key (in the .pub format) to the ~/.ssh/authorized_keys folder on the VM. SSH keys in ~/.ssh/authorized_keys are used to challenge the client to match the corresponding private key on an SSH connection. In an Azure Linux VM that uses SSH keys for authentication, Azure configures the SSHD server to not allow password sign-in, only SSH keys. Therefore, by creating an Azure Linux VM with SSH keys, you can help secure the VM deployment and save yourself the typical post-deployment configuration step of disabling passwords in the sshd_config file.

If you do not wish to use SSH keys, you can set up your Linux VM to use password authentication. If your VM is not exposed to the Internet, using passwords may be sufficient. However, you still need to manage your passwords for each Linux VM and maintain healthy password policies and practices, such as minimum password length and regular updates. Using SSH keys reduces the complexity of managing individual credentials across multiple VMs.

Generate keys with ssh-keygen

To create the keys, a preferred command is ssh-keygen, which is available with OpenSSH utilities in the Azure Cloud Shell, a macOS or Linux host, the Windows Subsystem for Linux, and other tools. ssh-keygen asks a series of questions and then writes a private key and a matching public key.

SSH keys are by default kept in the ~/.ssh directory. If you do not have a ~/.ssh directory, the ssh-keygen command creates it for you with the correct permissions.

Basic example

The following ssh-keygen command generates 2048-bit SSH RSA public and private key files by default in the ~/.ssh directory. If an SSH key pair exists in the current location, those files are overwritten.

Detailed example

The following example shows additional command options to create an SSH RSA key pair. If an SSH key pair exists in the current location, those files are overwritten.

Command explained

ssh-keygen = the program used to create the keys

Generate Ssh Public Key Unix

-m PEM = format the key as PEM

-t rsa = type of key to create, in this case in the RSA format

-b 4096 = the number of bits in the key, in this case 4096

-C 'azureuser@myserver' = a comment appended to the end of the public key file to easily identify it. Normally an email address is used as the comment, but use whatever works best for your infrastructure.

-f ~/.ssh/mykeys/myprivatekey = the filename of the private key file, if you choose not to use the default name. A corresponding public key file appended with .pub is generated in the same directory. The directory must exist.

-N mypassphrase = an additional passphrase used to access the private key file.

Example of ssh-keygen

Saved key files

Enter file in which to save the key (/home/azureuser/.ssh/id_rsa): ~/.ssh/id_rsa

Generate Ssh Rsa Key Unix File

The key pair name for this article. Having a key pair named id_rsa is the default; some tools might expect the id_rsa private key file name, so having one is a good idea. The directory ~/.ssh/ is the default location for SSH key pairs and the SSH config file. If not specified with a full path, ssh-keygen creates the keys in the current working directory, not the default ~/.ssh.

List of the ~/.ssh directory

Key passphrase

Enter passphrase (empty for no passphrase):

It is strongly recommended to add a passphrase to your private key. Without a passphrase to protect the key file, anyone with the file can use it to sign in to any server that has the corresponding public key. Adding a passphrase offers more protection in case someone is able to gain access to your private key file, giving you time to change the keys.

Generate keys automatically during deployment

If you use the Azure CLI to create your VM, you can optionally generate SSH public and private key files by running the az vm create command with the --generate-ssh-keys option. The keys are stored in the ~/.ssh directory. Note that this command option does not overwrite keys if they already exist in that location.

Provide SSH public key when deploying a VM

Linux

To create a Linux VM that uses SSH keys for authentication, provide your SSH public key when creating the VM using the Azure portal, CLI, Resource Manager templates, or other methods. When using the portal, you enter the public key itself. If you use the Azure CLI to create your VM with an existing public key, specify the value or location of this public key by running the az vm create command with the --ssh-key-value option.

If you're not familiar with the format of an SSH public key, you can see your public key by running cat as follows, replacing ~/.ssh/id_rsa.pub with your own public key file location:

Output is similar to the following (here redacted):

If you copy and paste the contents of the public key file into the Azure portal or a Resource Manager template, make sure you don't copy any additional whitespace or introduce additional line breaks. For example, if you use macOS, you can pipe the public key file (by default, ~/.ssh/id_rsa.pub) to pbcopy to copy the contents (there are other Linux programs that do the same thing, such as xclip).

If you prefer to use a public key that is in a multiline format, you can generate an RFC4716 formatted key in a pem container from the public key you previously created.

To create a RFC4716 formatted key from an existing SSH public key:

SSH to your VM with an SSH client

Generate An Ssh Key

With the public key deployed on your Azure VM, and the private key on your local system, SSH to your VM using the IP address or DNS name of your VM. Replace azureuser and myvm.westus.cloudapp.azure.com in the following command with the administrator user name and the fully qualified domain name (or IP address):

If you provided a passphrase when you created your key pair, enter the passphrase when prompted during the sign-in process. (The server is added to your ~/.ssh/known_hosts folder, and you won't be asked to connect again until the public key on your Azure VM changes or the server name is removed from ~/.ssh/known_hosts.)

If the VM is using the just-in-time access policy, you need to request access before you can connect to the VM. For more information about the just-in-time policy, see Manage virtual machine access using the just in time policy.

Use ssh-agent to store your private key passphrase

To avoid typing your private key file passphrase with every SSH sign-in, you can use ssh-agent to cache your private key file passphrase. If you are using a Mac, the macOS Keychain securely stores the private key passphrase when you invoke ssh-agent.

Verify and use ssh-agent and ssh-add to inform the SSH system about the key files so that you do not need to use the passphrase interactively.

Now add the private key to ssh-agent using the command ssh-add.

The private key passphrase is now stored in ssh-agent.

Use ssh-copy-id to copy the key to an existing VM

If you have already created a VM, you can install the new SSH public key to your Linux VM with a command similar to the following:

Create and configure an SSH config file

You can create and configure an SSH config file (~/.ssh/config) to speed up log-ins and to optimize your SSH client behavior.

The following example shows a simple configuration that you can use to quickly sign in as a user to a specific VM using the default SSH private key.

Create the file

Edit the file to add the new SSH configuration

Example configuration

Add configuration settings appropriate for your host VM.

You can add configurations for additional hosts to enable each to use its own dedicated key pair. See SSH config file for more advanced configuration options.

Now that you have an SSH key pair and a configured SSH config file, you are able to sign in to your Linux VM quickly and securely. When you run the following command, SSH locates and loads any settings from the Host myvm block in the SSH config file.

The first time you sign in to a server using an SSH key, the command prompts you for the passphrase for that key file.

Next steps

Create Rsa Ssh Key

Next up is to create Azure Linux VMs using the new SSH public key. Azure VMs that are created with an SSH public key as the sign-in are better secured than VMs created with the default sign-in method, passwords.