Master SSH Key Authentication: Generate, Upload, and Use Keys Securely

1. What is a key

A key is a very large number produced by an encryption algorithm. Symmetric encryption uses a single key, while asymmetric encryption uses a pair: a public key and a private key. SSH key login relies on asymmetric encryption; the private key must be kept secret, and the public key can be shared openly. Data encrypted with the public key can only be decrypted with the matching private key, and data signed with the private key can be verified with the public key.

2. SSH key login process

The SSH key login consists of the following steps:

Generate a public/private key pair on the client using ssh-keygen.

Manually copy the client’s public key to the remote server’s designated location.

The client initiates an SSH login request to the server.

The server sends random data to the client, asking the client to prove its identity.

The client signs the received data with its private key and returns the signature.

The server verifies the signature using the corresponding public key; if they match, the login is allowed.

3. ssh-keygen command: generate keys

Basic usage

OpenSSH provides the ssh-keygen utility to generate key pairs. The -t option selects the algorithm, such as dsa or rsa. Example: $ ssh-keygen -t dsa After running the command, ssh-keygen asks a series of questions:

$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_dsa):  press ENTER
Enter passphrase (empty for no passphrase): ********
Enter same passphrase again: ********
Your identification has been saved in /home/username/.ssh/id_dsa.
Your public key has been saved in /home/username/.ssh/id_dsa.pub.
The key fingerprint is:
14:ba:06:98:a8:98:ad:27:b5:ce:55:85:ec:64:37:19 [email protected]

The default private key file is ~/.ssh/id_dsa and the public key is ~/.ssh/id_dsa.pub. When using the rsa algorithm, the defaults are ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub respectively.

To generate a 4096‑bit RSA key with a comment, run:

ssh-keygen -t rsa -b 4096 -C "[email protected]"

The public key file is a single line of text, for example:

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEAvpB4lUbAaEbh9u6HLig7amsfywD4fqSZq2ikACIUBn3GyRPfeF93l/weQh702ofXbDydZAKMcDvBJqRhUotQUwqV6HJxqoqPDlPGUUyo8RDIkLUIPRyqypZxmK9aCXokFiHoGCXfQ9imUP/w/jfqb9ByDtG97tUJF6nFMP5WzhM= [email protected]

It is advisable to set restrictive permissions on the key files after creation:

$ chmod 600 ~/.ssh/id_rsa
$ chmod 600 ~/.ssh/id_rsa.pub

4. Manually upload public key

The public key must be placed in the server’s ~/.ssh/authorized_keys file for the corresponding user. Each key occupies one line. If the file does not exist, create it manually.

You can append the key from the client with:

$ cat ~/.ssh/id_rsa.pub | ssh user@host "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Replace user@host with the actual remote username and hostname. The authorized_keys file should have permissions 644 so that only the owner can write: $ chmod 644 ~/.ssh/authorized_keys Once the public key is on the server, subsequent logins will use key authentication without prompting for a password.

$ ssh -l tinywan www.tinywan.com
Enter passphrase for key '/home/tinywan/.ssh/id_dsa': ************
Last login: Mon Mar 24 02:17:27 2014 from ex.ample.com
www.tinywan.com>

5. ssh-copy-id command: automatic upload

OpenSSH includes the ssh-copy-id utility, which automatically copies the local public key to the remote server’s ~/.ssh/authorized_keys. If the file does not exist, the command creates it.

Typical usage:

$ ssh-copy-id -i key_file [email protected]

The -i option specifies the public key file; user is the remote account, and host is the server address. If the username is omitted, the current local username is used. The command logs in with password authentication to perform the copy.

Note: If the authorized_keys file already exists, ensure it ends with a newline character before running ssh-copy-id ; otherwise the new key may be concatenated with the previous line and become invalid.

$ ssh-copy-id -i id_rsa user@host

In this case, ssh-copy-id automatically matches the public key file ~/.ssh/id_rsa.pub.