SSH (Secure Shell) is supposed to establish a hack-free connection. SSH provides two types of authentication systems, i.e., one is the normal user’s password, and the other is the Key Pair authentication. The normal user’s password is easy to crack which makes the connection less secure. However, the connection established through the Key Pairs (Private and Public) is more secure as the keypair authentication uses one key (Public) for encryption and the other (Private) for decryption.

Keeping the importance of these keys in view, this post will address the method to generate SSH keys on Ubuntu 22.04 and how you can connect to the remote machine using the key pairs.

• SSH Keys | What are Public and Private Keys?
• How Does the Key Authentication Work in SSH?
• How to Generate SSH Key on Ubuntu 22.04?
• How to Establish an SSH Connection Using SSH Keys?
• Bottom Line

What are SSH’s Public and Private Keys?

SSH protocol offers a set of keys to authenticate a connection and keep the activities secure. These keys are referred to as “Authentication Keys” and are of two types, i.e., Public and Private:

• Public Key: Used for Encryption. The server uses the public key of the client to encrypt the message for that specific client.
• Private Key: Use for Decryption. The client uses it for the decryption of the server’s messages.

Note: As the Public and Private keys are used for authentication, this type of encryption is called asymmetrical encryption.

How Does the Key Pairs Authentication Work in SSH?

The private key is stored at the client’s PC and the public key is at the server’s end. The server uses the public key of the client to encrypt a message. That message is decrypted by the client using its private key.

This mechanism of authentication overall enhances the security of the SSH connection and makes the data transmission least exposed to hackers/brokers.

How to Generate SSH Keys on Ubuntu 22.04?

SSH key generation is an easy-to-do task with the ssh-keygen command. You just have to follow the syntax to generate the SSH key pair.

Syntax:

ssh-keygen -t <Algorithm> -b <Encryption-Bits>

ECDSA256256, 384, 521Ed25519256Only 256

Note: The above algorithms are known by various names: asymmetric algorithms, public-key algorithms, or asymmetric cryptographic algorithms.

Where are the SSH Keys Stored?

The keys generated using any of the above algorithms are named separately and raise no naming conflict. Thus, you can keep the path, as suggested/recommended by the system. The default path of Public and Private key(s) file are:

Algorithm	Default Public Key Path	Default Private Key Path
RSA	“/home/<username>/.ssh/id_rsa.pub”	“/home/<username>/.ssh/id_rsa”
DSA	“/home/<username>/.ssh/id_dsa.pub”	“/home/<username>/.ssh/id_dsa”
ECDSA	“/home/<username>/.ssh/id_ecdsa.pub”	“/home/<username>/.ssh/id_ecdsa”
Ed25519	“/home/<username>/.ssh/id_ed25519.pub”	“/home/<username>/.ssh/id_ed25519”

Let’s get into various methods to generate the SSH Keys.

Generating SSH Key(s) With Default Parameters

The “ssh-keygen” command without parameters generates the SSH key with default values, which are:

• RSA encryption is used with the default bit size.
• The key will be stored in the directory, “/home/<username>/.ssh/id_rsa”.

ssh-keygen

Let’s understand the output:

• A prompt first appears asking you to recognize the directory where the key(s) will be stored. You can change that directory as well.
• You can set the password for the private key (Although it is already safe, setting the password makes it more complex/secure).
• By default, the RSA-based encryption is carried out with 3072 encryption bits. Moreover, the SHA256 (a hashing algorithm from the SHA-2 family, considered more secure) is used to secure the key after generation.

Generating SSH Keys With Different Algorithms and Encryption Bits

SSH key generation command allows you to generate the Public and Private keys with the specific encryption bits. The following command uses the “RSA” algorithm with encryption bits “4096” (considered more secure and recommended than the lower ones):

ssh-keygen -t rsa -b 4096

The keys are being stored in the default directory (If the key already exists there, it would replace the existing one).

Similarly, you can use a different algorithm (dsa, ecdsa, or ed25519) after the “-t” flag and the bits after the “-b” flag.

How to Establish an SSH Connection Using SSH Keys?

As discussed, the default connection of the SSH is based on just the user’s password authentication, which is the least secure and the information being transmitted can easily be hacked. To counter that, SSH has provided secure connection support by authenticating the public and Private key combinations.

Let’s see how it is carried out:

Step 1: Generate SSH Key Pairs on the Client Side

On the client side, use the ssh-keygen command to generate the public/private keys:

ssh-keygen -t rsa -b 5554

Important: Note down the public key’s path. Also, do remember the passphrase, which will be asked at the time of connection.

Step 2 (Optional): Create the File (At Server End) For SSH Keys

Ensure you have a “~/.ssh/authorized_keys” file at the server end to place the SSH keys. If not, you can create the file, as follows:

• If the “.ssh” directory is available:

touch ~/.ssh/authorized_keys

• If the “.ssh” directory does not exist:

mkdir ~/.ssh;sudo chmod 700 ~/.ssh;touch ~/.ssh/authorized_keys

While copying, you might encounter the permission denied error to the file “~/.ssh/authorized_keys”. To counter this, you must grant the read and write permissions of the file to the owner only (execute the following command on the server side where the keys are to be copied):

sudo chmod u+rw ~/.ssh/authorized_keys

Step 3: Copy the SSH Key From the Client to the Server

Ubuntu (as a client or server) offers three ways (recommended) ways to copy the SSH key from the client to the server, i.e., ssh-copy-id command (used the most), ssh/scp, or ssh/cat. In short, SSH is the primary to assist other methods for copying the key. Let’s get into these:

1. ssh-copy-id Command

By default, the “ssh-copy-id” command copies all the public keys available in the “~/.ssh/” directory. However, you can use different options of the ssh-copy-id command to copy the specific key. Let’s discuss its usage in detail:

• Copy All the Keys From the Default Location

Use the username and the Hostname/address of the server to save the keys at the server end:

ssh-copy-id [email protected]

First, the SSH connection is established between the client and the server. The copied SSH public key(s) is placed in the “~/.ssh/authorized_keys” file on the server.

• Copy Specific Keys

One can use the “ssh-copy-id -i <Path-to_Public-Key> username@Hostname/IP-Add” to copy a specific public key placed at any location on the system. Let’s say the command below copies the mentioned public key to the server:

ssh-copy-id -i ~/.ssh/id_ed25519.pub username@Hostname/IP-Add

1. scp With ssh

SSH offers a secure copy protocol to transfer/share files/data securely. The SSH keys can also be copied using the scp. Let’s do it:

The command below copies the “pub key”, establish an ssh connection, and places the copied key into the “~/.ssh” directory of the server:

sudo scp <path/of/pub-key> username@Hostname/Ip-Add:~/.ssh

Connect to the server:

ssh user@Hostname

Copy the content of the Public Key to the authorized_key file:

sudo cat path/of/the/copied/key >> ~/.ssh/authorized_keys

1. ssh With cat

The “cat” command can be used to fetch the content of the public key. Then, pipe the content (which will be copied to the clipboard) to the ssh command (establishing the connection). Lastly, the content of the pipe command is copied to the authorized keys file:

cat <path/to/pubkey> | ssh username@hostname "cat >> ~/.ssh/authorized_keys"

That’s how you can copy the SSH keys.

Step 4: Establish a Connection From the Client to the Server

• Through Default Keys

If you have copied one key, then you can use the generic “ssh username@hostname(IP-Address)” command to connect to the server:

ssh username@hostname/IP-Address

When the command is executed, the following private key authentication prompt appears. You need to enter the passphrase of the private key that you set while generating the keypairs:

Note: If the passphrase is not set, you will be logged in straight away.

 

After the successful authentication, we are now logged into the remote machine:

• Through Specific Keys

If you want to establish a connection through a specific private key, then you need to mention the complete path of the private key with the “-i” option as shown below:

ssh -i "~/.ssh/id_ed25519" username@hostname/IP-Address

How to Copy a Key to Multiple Servers?

Until now, we have learned the way to copy the key(s) to only one server. What if you have to copy a key to multiple servers at once? Let’s see how it works:

Step 1: Create a List of Servers

Create a text file and place the server(s) addresses (in the username@Hostname/IP-Address format):

nano ser

Step 2: Create a Bash Script

Now, the purpose is to loop over the server address in the file “ser.txt”. For that, a bash script is created and the for loop is used. Here’s the code of that bash script:

• The for-loop loops over the file where the server(s) addresses are saved.
• Inside the loop, the “ssh-copy-id” command runs which copies the keys to the servers that are read and stored in the “$s”.

Now, make the script executable:

sudo chmod +x ssh.sh

Step 3: Execute the Script

./ssh.sh

All the keys placed in the “~/.ssh” directory are copied to all the servers one by one.

How to Disable the Password-Based SSH Authentication?

If the connection has been established successfully by authenticating the key pairs. You can now disable the password authentication for SSH connections. If you keep the password-based authentication active, your connection can be breached easily. Thus, it is recommended to turn off password-based authentication and restrict the connections to use the SSH key pairs for authentication. Let’s do it:

Open the “/etc/ssh/sshd_config” file in any editor (on your server):

sudo nano /etc/sshd_config

Locate the line “PasswordAuthentication”, uncomment it, and set its value to “no”, as shown below:

Save and exit out of the editor. Lastly, restart the SSH service on your server (where you have changed the SSH settings):

sudo systemctl restart sshd

Here you go with the more secure SSH connection!

Bottom Line

SSH is known for its secure connection through the asymmetrical cryptographic methodology. This enables the client to generate an SSH key pair (Public and Private) and then use it for connecting/communicating.

The SSH key pairs are generated using the ssh-keygen tool. The tool allows you to generate SSH key pairs in one of the four asymmetric algorithms with different/distinct encryption bits.

This post has explained the importance and the method to generate SSH keys on Ubuntu 22.04.