create ssh key

By | September 6, 2018

This post may contain affiliate links. Please read my disclosure for more info.

How to create ssh key pairs in Linux

In Linux and most other Linux distributions you can use ssh key pairs to easily remote into other systems and run scripts remotely. This is extremely useful when managing multiple Linux hosts and if you wish to gather reports from one central source.

What are SSH Key Pairs?

SSH key pairs are two cryptographically secure keys that can be used to authenticate a client to an SSH server. Each key pair consists of a public key and a private key.

The private key is retained by the client and should be kept absolutely secret. Any compromise of the private key will allow the attacker to log into servers that are configured with the associated public key without additional authentication. As an additional precaution, the key can be encrypted on disk with a passphrase.

The associated public key can be shared freely without any negative consequences. The public key can be used to encrypt messages that only the private key can decrypt. This property is employed as a way of authenticating using the key pair.

The public key is uploaded to a remote server that you want to be able to log into with SSH. The key is added to a special file within the user account you will be logging into called ~/.ssh/authorized_keys.

When a client attempts to authenticate using SSH keys, the server can test the client on whether they are in possession of the private key. If the client can prove that it owns the private key, a shell session is spawned or the requested command is executed.

These 3-steps are how to create ssh key pairs in Linux:

  1. Create your ssh key pairs on the client server you wish to connect from.
  2. Copy your public key onto the host you wish to connect to.
  3. Load your ssh key on the client server your connecting from.

An overview of the flow is shown in this diagram:

The diagram shows a laptop connecting to a server, but it could just as easily be one server connecting to another server.

  • private key (id_rsa) – this is the master key that sits on your client your connecting from.
  • public key (id_rsa.pub) – like a door lock sits on the servers you want to connect to

Detailed Steps on how to create ssh keys in Lunix

This contains details steps on how to create your ssh key pairs and load them onto your servers.

Setting up SSH Keys (public and private key)  

Just a quick summary on how to use the ssh-agent so we can use ssh keys which are password protected.

[CLIENT “Main client your connecting from, holds the private key (id_rsa)”]
Under your local account, create your SSH key pair , by default it will create under your home directory a .ssh directory (hidden folder)

First run ssh-keygen

[email protected]:remotehost# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/localuser /.ssh/id_rsa):
/home/localuser /.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/localuser /.ssh/id_rsa.
Your public key has been saved in /home/localuser /.ssh/id_rsa.pub.
The key fingerprint is:
cc:1e:55:ad:44:fe:51:3d:c6:7a:5b:e4:9a:e2:fa:f6  [email protected]

Within this directory after running the command ssh-keygen , you will find your SSH key pair

[email protected]# ls -al .ssh
total 20
drwx------ 2 wz7052 techsup 4096 Oct 21 13:27 .
drwx------ 3 wz7052 techsup 4096 Oct 21 13:41 ..
-rw------- 1 wz7052 techsup 1743 Oct 21 13:36 id_rsa   <-- private key
-rw-r--r-- 1 wz7052 techsup  425 Oct 21 13:36 id_rsa.pub  <-- public key

[SERVER “Server you want to connect to, holds the public key (id_rsa.pub)”]

We use a useful copy feature to push the keys onto the server we want to connect to, but we need to create the hidden .ssh folder in our home directory.

Create a .ssh directory under your home directory , make sure the permission are set to 700:

cd ~
mkdir .ssh
chmod 700 .ssh

Repeat for each server you want to connect to.

[CLIENT “Main client your connecting from”]

Logon as yourself.

Copy the id_rsa.pub (the public key to the host you want to connect to)

ssh-copy-id -i .ssh/id_rsa.pub [email protected]

You will be prompted for your password on the remote host, and then it will push the key to your ~/.ssh directory and set up everything – saves a LOT of hassles instead of manually copying the file to the client!

Making it all work

[CLIENT “Main client your connecting from”]

Passphrase Log onto server

So now it is all configured and pushed onto each client you wish to connect to, you logon as yourself on the client.

ssh to the server you want to connect to:

ssh server
since ssh is smart it will see you have a public key present and ask for your passphrase:
Enter passphrase for key ‘/home/localuser/.ssh/id_rsa’:
Last login: Tue Oct 21 13:43:12 2014 from 172.22.1.138

Passphrase auto Log onto server

Now we have this key loaded on many hosts and we don’t want to put in the password all the time.

To get around this , preload the the ssh-agent on the primary host and load the private key.

It will ask for the key password but as long as you run commands from this ssh session it will automatically provide the passwords to the remote hosts.

Let me show you

Load ssh-agent shell

[email protected]# ssh-agent /bin/bash
Add your private key to the agent
[[email protected] ~]$ ssh-add ~/.ssh/id_rsa
Enter passphrase for /home/localuser/.ssh/id_rsa:
Identity added: /home/localuser/.ssh/id_rsa (/home/localuser/.ssh/id_rsa)

Now you should not need the password again when connecting to the remote host:

[[email protected]~]$ ssh server
Last login: Tue Oct 21 14:17:07 2014 from 171.22.12.138

You see it used the password kept by the ssh-agent.

Running remote commands

Now you can use key pair to run commands on the other side.

ssh -q 10.11.0.92 hostname
server

I have written a script that loops a bunch of servers IPs defined in hostlist.txt to run a simple hostname command in this script:

cat hostlist.txt
server1
server2
server3
server4
server5

Script to gather hostname list and ensure that all the remote systems are connecting from the defined list:

cat hostname.sh
ssh-agent /bin/bas
ssh-add ~/.ssh/id_rsa
for host in `cat hostlist.txt`; do ssh -q $host hostname >> ssh-testrun ; done
wc -l hostlist.txt ; wc -l ssh-testrun

Run the script and you should see all 5 servers defined in hostlist.txt match the connect output in ssh-testrun:

./hostname.sh
5 hostlist.txt
5 ssh-testrun

Summary

You can see that creating ssh keys can be a powerful tool to easily connect to remote systems and also run remote health checks and gather data.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.