Using SSH & Creating SSH Keys
By Justin
Updated 2024
Connecting to a remote server requires a concept called Secure Shell or ssh for short. Using ssh allows your local computer to connect to a remote server (or remote virtual machine) and run various commands. In other words, ssh is how we log in to a server we want to host code on.
In this post, we'll look at how to generate SSH keys so you can connect to a server without using passwords. Doing this allows allows you to automate all kinds of things like deploying code, backing up data, and more.
SSH is so common that is already installed on Mac, Linux, and modern Windows whether it's using terminal, powershell, or windows subsystem for linux (wsl).
The process is as follows:
- Generate a ssh key pair - public and private.
- Secure the private key (aka share if you want to allow access)
- Install the public key to a server or service that supports it.
- Connect using the private key.
Let's see how this works in practice.
Generate an SSH Key Pair
You are going to create a public/private key pair in a non-default location so you can get comfortable with deleting the ssh keys.
bash
mkdir -p ~/dev/my-test-ssh
cd ~/dev/my-test-ssh
Now create the key pair.
bash
ssh-keygen -t rsa -b 4096 -C "[email protected]"
This command will yield:
bash
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/justin/.ssh/id_rsa):
Now you can enter a file name testing-123. If you skip adding your filename, the default path and name will be used (/Users/justin/.ssh/id_rsa).
At this point you should see the following:
bash
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/justin/.ssh/id_rsa): testing-123
Now press enter and the next step will be:
bash
Enter passphrase (empty for no passphrase):
This is where you can add another layer of security by adding a password to the SSH private key itself. You can leave it blank if you want. Whatever you decide, you need to remember it because you will be asked for it every time you try to connect to a server. Either way, the next step will be:
bash
Enter same passphrase again:
Assuming you used the same password, even if nothing, the passphrase empty, press enter and you should see the following:
bash
Your identification has been saved in testing-123
Your public key has been saved in testing-123.pub
The key fingerprint is:
SHA256:<removed-for-privacy> [email protected]
The key's randomart image is:
+---[RSA 4096]----+
| truncated-for-clarity |
+----[SHA256]-----+
This means your key pair have been created. If you list out the files in the directory you should see the following:
bash
ls ~/dev/my-test-ssh
You should see the following:
bash
testing-123 testing-123.pub
The name testing-123 is the name for the private key while testing-123.pub is name for the public key. testing-123.pub you share/install elsewhere. testing-123 you treat like a password and only share if you want to allow access.
The whole process looks like this:
bash
ssh-keygen -t rsa -b 4096 -C "[email protected]"
Enter file in which to save the key (/Users/justin/.ssh/id_rsa): testing-123
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in testing-123
Your public key has been saved in testing-123.pub
The key fingerprint is:
SHA256:<removed-for-privacy> [email protected]
The key's randomart image is:
+---[RSA 4096]----+
| truncated-for-clarity |
To shortcut a passphrase-less key at a specific location, you can just run:
bash
ssh-keygen -t rsa -b 4096 -C "[email protected]" -f ~/dev/my-test-ssh/testing-123 -N ""
Note on Overwriting Keys
If you run the ssh-keygen command more than once with the key at the same location, you'll be prompted to overwrite the existing key. To replace the old key, type y and press Enter. Remember that overwriting an SSH key will invalidate any connections or services using the old key.
Using SSH Keys
For most cloud providers, there's an easy way to install your public key. Public keys always end in .pub and follow this format:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAA...<truncated-for-readability>.... [email protected]
Private keys always follow this format:
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
...<truncated-for-readability>....
KepGSVeUeUVdAAAAJmp1c3QtaW4tc3NoQGNvZGluZ2ZvcmVudHJlcHJlbmV1cnMuY29tAQ
IDBA==
-----END OPENSSH PRIVATE KEY-----
To see your exact values, you can run cat on the file. For example:
bash
cat ~/dev/my-test-ssh/testing-123.pub
cat ~/dev/my-test-ssh/testing-123
At this point, you would use ~/dev/my-test-ssh/testing-123.pub on your cloud service to ensure your public key is installed on new servers you want to connect to. If you want to add this public key to an existing server, you can manually install them with the next section.
Manually Installing Public Key
Let's pretend you forgot to install your public key to a server or service. Assuming you have a username and password for the server, you can manually add the public key. It's as easy as:
- Having a pre-existing public/private key pair. (e.g. the previous section)
- Having a username and password for the server.
- Using the ssh-copy-id command.
Here's how it's done with our non-default key (~/dev/my-test-ssh/testing-123.pub) from the previous section:
bash
ssh-copy-id -i ~/dev/my-test-ssh/testing-123.pub root@<your-server-ip>
If done correctly, you should see something like the following:
bash
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "~/dev/my-test-ssh/testing-123.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the other keys
root@<your-server-ip>'s password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh -i "~/dev/my-test-ssh/testing-123" root@<your-server-ip>"
and check to make sure that only the key(s) you wanted were added.
Now whenever you need to connect to the server, you can use the shortcut provided:
bash
ssh -i "~/dev/my-test-ssh/testing-123" root@<your-server-ip>
This allows for passwordless authentication.
Using the Default SSH Keys
Using the default SSH Keys is the easiest way to connect to a server. For most users, the default SSH keys are stored in ~/.ssh/ and are named id_rsa (private) and id_rsa.pub (public).
They are generated the same way:
bash
ssh-keygen -t rsa -b 4096 -C "[email protected]"
But you do not change the filename or file location. If you are prompted to overwrite the keys, take a moment to figure out if you have any services using the default keys. If you are unsure, I recommend using the manual process we did above.
With the default, you can connect to server with:
- ssh-copy-id root@<your-server-ip> (run once to install)
- ssh root@<your-server-ip> (run anytime you need to connect)
Notice that we did not have to use the -i flag when connecting with the default keys. This is because the default public/private key are automatically used by, ahem, default.
Copying the Public Key
The shortcut to copy the public key on macOS/Linux is:
bash
cat ~/.ssh/id_rsa.pub | pbcopy
If you're on Windows, the shortcut to copy the public key to your clipboard is:
bash
cat ~/.ssh/id_rsa.pub | clip
These commands are helpful to get an exact copy of your public key when installing to cloud services like Akamai Linode, Digital Ocean, AWS, Google Cloud, GitHub, etc.
Your First SSH Connection
Now that you have your public/private key pair, you can connect to a server. Assuming you have a username and password for the server, you can connect with the following command:
bash
ssh root@<your-server-ip>
Replace <your-server-ip> with the IP address of your server.
When you connect to a server for the first time, you will see the following:
bash
The authenticity of host '192.168.1.100 (192.168.1.100)' can't be established.
ECDSA key fingerprint is SHA256:1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef.
Are you sure you want to continue connecting (yes/no)?
This is a security feature that ensures you want to connect to the server. If you change your SSH keys, this message may show an error instead. You will only see this message when connecting to a server for the first time.
After you type yes, you will connect. Your system will also automatically add the server's public key to a local file to keep track of your "known hosts" that you have approved. In other words, this server will be added as a single entry in the ~/.ssh/known_hosts file. If you have an error connecting to a server (e.g. "The Host's identity is not known"), you may need to edit your ~/.ssh/known_hosts file to remove the old key and try again. The known_hosts file is a security feature that prevents man-in-the-middle attacks. In some cases, you can delete the entire known_hosts file.
That's it! Consider checking out the Full Stack Python AI Chatbot course where we implement an GitHub Action Workflow that uses a non-default SSH key to deploy an app to a virtual machine server.