Generate OpenSSH Public/Private Key Pair

In this post I will be demonstrating how to generate an RSA private and public key pair for SSH authentication to a Linux server. Using key based authentication enhances security when accessing devices directly over the Internet via SSH because now instead of just needing to know a user name and password combination you need to have the private key in your possession so no matter how many times someone guesses a password if they do not have that private key they will not gain access unless there is an underlying flaw in the SSH protocol or some other piece of software your server is running that is not patched.

Generate the Keys

First you will need to navigate to your users home directory and create a new directory .ssh and navigate into the newly created ‘.ssh’ directory.

Now that your are in your users .ssh directory you can create your public and private key pair by issuing the following command and following the prompts.

One thing to note on the 4th and 5th line it prompts you to enter a pass phrase for the key. You will most likely want to enter a pass phrase here because if you don’t all an attacker needs is the key to be able to login to the system.

If you want to be able to login without having to use a password at all you can just hit enter and it will be left blank but be aware that not attaching a pass phrase to your key is considerably more weak.

At this point if we list the files in our directory we will have a file ‘id_rsa’ and ‘id_rsa.pub’ the file with ‘.pub’ is the public key that the server will present when a client tries to authenticate and will stay on the server and the file without ‘.pub’ is the private key you will need to copy down to your client computer.

Rename Public Key

Depending on how you configure your SSH server you will need to rename your public key to match the name that the server will be looking for when presenting the public key to clients that are authenticating. Often times the default key file name is ‘authorized_keys’, so on the server issue the following command to rename ‘id_rsa.pub’ to ‘authorized_keys’.

We can now see by issuing the ‘ls’ command that our public key file is now named ‘authorized_keys’ and we just have our private key. By default your permissions for the public key should be set correctly at 644 (rw, r, r) but if they are not you can issue the following command to set them properly.

 

Copying Private Key to Client

Now we need to get the private key from the server to the client. You will want to do this using a secure method such as SSH because if someone is sniffing the network traffic as you send the private key across the attacker will capture the contents of your key and be able to login to your server. If you are using a Windows computer Filezilla is a good tool that supports tunneling FTP over SSH so you can copy down the file securely, if you are using Linux you can use scp or rsync over ssh to copy down the file, or lastly if you don’t want to use any of those options while logged in via SSH you can cat the private key to list the contents of the file while logged into the server, copy the text contents of the file to your clipboard and paste them into a new file on your client computer and you have copied your private key.

Below I have an example of using rsync over ssh on a Linux client to copy down the private key and delete the source file from the server.

Command Breakdown:

Rsync -avz : uses rsync with the archive flag (-a) compress the data for transfer (z) and give verbose output (v)

–remove-source-files : as the option describes after the transfer is completed rsync will automaticly delete the file from the source it was copied from

user@remote_server_ip_address:/home/user/.ssh/id_rsa : Specifies the user and remote server IP address to connect to and the file to copy

user_workstation_key.key : new name of the file as saved on the local computer

We can now see by issuing an ‘ls’ command that we have a new file ‘user_workstation_key.key’ this file can be named anything you want so long as it describes the user and device it is for so you don’t forget.

 

Configure SSH to use key based authentication

Now you can configure your remote server to use key based authentication so it will start requiring the private key when a user goes to login. I do have instructions in this post on how to configure OpenSSH to use key based authentication.

 

Things to note

One thing to understand about the private/public key combination you have created is that they are linked together so if your private key was lost there is no way to recover it from the public key and you would need to create a new private/public key pair and repeat the steps above.  You can however regenerate the public key from your private key if it was ever deleted which I demonstrate in this post.

 

Now assuming you have successfully configured your SSH server to present a public key and request the corresponding private key when a client authenticates you will now need to use your private key to authenticate to your server when logging in via ssh. If this post helped you please share on social media

Be the first to comment

Leave a Reply

Your email address will not be published.


*