At Remoteler, we advocate SSH certificates over SSH keys and passwords as the best authentication method for SSH. Nothing beats the security and operational flexibility of using certificate-based authentication for a large fleet of SSH servers running on the dynamic infrastructure. But in practice, certificate-based authentication is far from the de facto authentication method, and sometimes we may need to use SSH keys. For example, in my daily workflow, I use SSH keys when accessing DigitalOcean servers or to check repositories in my GitHub personal account because SSH keys are the default available methods (alongside passwords). So it helps to learn the best way to generate and use SSH keys.
This post is targeted toward individuals who need to generate and manage SSH keys and keep them secure for day-to-day tasks. If you are looking for a way to add SSH key-based authentication in your organization, stop! Certificates provide greater flexibility and security over keys, and open-source Remoteler makes it super easy and secure to implement them. Give it a try.
Now, let’s get to the topic!
The SSH key generation process is handled by the OpenSSH helper program ssh-keygen
. The types of keys supported by OpenSSH are:
dsa
: Key generated with Discrete Logarithm Problem & Modular Exponentiation algorithm.ecdsa
: Key generated with Elliptic Curve Discrete Logarithm Problem algorithm.ecdsa-sk
: Same as ecdsa
but with an option to store the keys in FIDO/U2F devices.ed25519
: Key generated with Edwards-curve Digital Signature algorithm.ed25519-sk
: Same as ed25519
but with an option to store the keys in FIDO/U2F devices.rsa
: Key generated with Rivest–Shamir–Adleman algorithm.So what is the recommended SSH key generation algorithm? The two most popular options for key generation are either rsa
or ed25519
. The ed25519
algorithm offers more cryptographically strong keys while rsa
is the most widely supported algorithm. If you are generating a key for modern SSH servers, go with ed25519
.
To generate an SSH key of type ed25519
, we invoke the ssh-keygen
command with a -t
flag as follows:
The default key size is 256 bits. To use higher bits, you can use the -b
flag as the following:
By default, SSH keys are placed in the ~/.ssh/
directory, but this is optional and you can place them anywhere you want to.
The following is an example of the full steps of the key generation process using type ed25519
:
You will receive a public key and a private key. You will only need to upload the public key to the servers you need to access. The private key must be kept securely on your machine.
In SSH, key-based authentication is based on asymmetric cryptography, and the authenticity of the user is based on signature validation. First, the server needs to trust the public key. This is done by copying the public key to the server’s ~/.ssh/authorized_keys
file. Then for authentication, the user’s SSH client signs a random message with the private key, which the server verifies using the public key.
To copy the user’s public key to the server, OpenSSH has a built-in helper ssh-copy-id
. Using the ssh-copy-id
command, we can easily add the public key to the remote server, automatically copying the key into the ~/.ssh/authorized_keys
file.
The terminal output text should be:
or services like GitHub, we need to paste the content of the public key on their website. For this, we can use pbcopy
, xclip
, or a text editor.
When you have multiple keys and different usernames for different SSH servers, it can be tedious to enter long SSH commands. The SSH config file ~/.ssh/config
helps to customize and, in some instances, automate the SSH access process. For example, we can predefine a host so that the following SSH command:
can be shortened to:
To achieve this, we update the config file(~/.ssh/config
) with the following option:
This is just one example, but you can configure many other options such as the specific encryption algorithms for a given host, configuration of the SSH agent, use of ProxyJump, custom port definition, etc. Basically, every feature supported by the OpenSSH client can be preconfigured using a config file. Read our prior blog on using ssh client config files for more details.
For security reasons, you should always protect your private keys using a passphrase. This is supported by ssh-keygen
which asks you for a passphrase during the key generation process. Some users may find a requirement to enter a passphrase annoying. In other situations, a third party program might need to access the keys for automation purposes and a passphrase can be a blocker. To reduce the pain in these scenarios, OpenSSH offers ssh-agent
, a helper program that automates the key management process and relieves you from entering passphrase every time for SSH access.
To add the private key to SSH agent, first ensure that the ssh-agent
program is running. You can start the program with the following command:
Then to add the private key, we use the ssh-add
helper program with the following command:
SSH agents have their fair share of security risks, and I recommend reading our dedicated blog on how to use SSH agent securely.
In this post, I have listed a few of the most common tasks related to SSH key management that help in the day-to-day SSH access. Although it will help you get started using SSH key-based access, SSH supports numerous configuration options for keys that we did not discuss. I recommend you read the following man pages related to SSH key management:
ssh-keygen
: https://linux.die.net/man/1/ssh-keygenssh-agent
: https://linux.die.net/man/1/ssh-agentssh-add
: https://man7.org/linux/man-pages/man1/ssh-add.1.htmlssh_config
: https://linux.die.net/man/5/ssh_configAs mentioned earlier, certificate-based authentication provides security and operational flexibility for a large fleet of SSH servers running in a dynamic environment. Learn more about how Remoteler helps implement SSH certificate-based authentication for your SSH infrastructure.
P.S. Remoteler is free and open-source and perfectly integrates with existing OpenSSH servers.