Use SSH keys to access a server

When accessing a server it can be done by SSH, and by default with a username and password. But if you have to give access to other people, it is best to give them access through an SSH key generated for each user.

These keys are made up of two files, one of them includes the so-called “public key” and the other the “private key”. The private one is yours and you never have to give it to anyone, and the public one is the one you can use on the servers.

Generating the keys

Linux / Mac

If you’re on a Linux or Mac server, you can use the tool ssh-keygen. This tool will ask you where you want to save the files and once you finish you will have both available there.

In the end it will end up returning something similar to:

Your identification has been saved in /your_home/.ssh/id_rsa
Your public key has been saved in /your_home/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:/hk7MJ5n5a5fsaTVUZr+2Qt+qCiS7BIm5Iv0dxrc3ks user@host
The key's randomart image is:
+---[RSA 3072]----+
|                .|
|               + |
|              +  |
| .           o . |
|o       S   . o  |
| + o. .oo. ..  .o|
|o = oooooEo+ ...o|
|.. o *o+=.*+o....|
|    =+=ooB=o.... |
+----[SHA256]-----+

Windows

To generate a key in Windows it is best to use the Puttygen program.

We will click on Generate, move the mouse around the screen, and at the end it will generate a series of codes. We will put a strong password, please, and save both the “public key” and the “private key”. These two files will be kept safe.

Publishing the keys

First of all, if you are entering as root, create a user with the permissions to manage everything, the old-fashioned way. For example, let’s create the wpsysadmin user.

adduser wpsysadmin

It will ask us for a password and we will put it on it, in addition to some other data.

We will now give you “sudo” permissions to be able to access the entire system.

usermod -aG sudo wpsysadmin

We will now assign you an SSH key, as we have the public key available. We will open it with a text editor or show it on the screen. The content will look like this:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCqql6MzstZYh1TmWWv11q5O3pISj2ZFl9HgH1JLknLLx44+tXfJ7mIrKNxOOwxIxvcBF8PXSYvobFYEZjGIVCEAjrUzLiIxbyCoxVyle7Q+bqgZ8SeeM8wzytsY+dVGcBxF6N4JS+zVk5eMcV385gG3Y6ON3EG112n6d+SMXY0OEBIcO6x+PnUSGHrSgpBgX7Ks1r7xqFa7heJLLt2wWwkARptX7udSq05paBhcpB0pHtA1Rfz3K2B+ZVIpSDfki9UVKzT8JUmwW6NNzSgxUfQHGwnW7457sp4AT0VZk3ADw497M2G/12N0PPB5CnhHf7ovgy6nL1ikrygTKRFmNZISvAcywB9GVqNAVE+ZHDSCuURNsAInVzgYo9xgJDW8wUw2o8U77+xiFxgI5QSZX3Iq7YLMgeksaO4rBJEa54k8m5wEiEE1nUhLuJ0X/vh2xPff6SQ1BL/zkOhvJCACK6Vb15mDOeCSq54Cr7kvS46itMosi/uS66+PujOO+xt/2FWYepz6ZlN70bRly57Q06J+ZJoc9FfBCbCyYH7U/ASsmY095ywPsBo1XQ9PqhnN1/YOorJ068foQDNVpm146mUpILVxmq41Cj55YKHEazXGsdBIbXWhcrRf4G2fJLRcGUr9q8/lERo9oxRm5JFX6TCmj6kmiFqv+Ow9gI0x8GvaQ== demo@test

We will enter the server where we want to install the key and create, if it does not exist, the corresponding folder.

mkdir -p ~/.ssh

And we will launch a command such that (shortened to make it readable):

echo 'ssh-rsa AAAAB3NzaC1yc2EAAA...Q== demo@test' >> ~/.ssh/authorized_keys

And we will give the corresponding permissions.

chmod -R go= ~/.ssh

Disabling passwords

A last possible step is to disable traditional passwords and only access with SSH keys. To that end, we should do the following.

vim /etc/ssh/sshd_config

There we will have to modify the parameter PasswordAuthentication from “yes” to “no”.

PasswordAuthentication no

Once we do, we will restart the SSH service.

systemctl restart ssh

Accessing with SSH key

In most SSH access programs you will have the possibility to include a username and password, or a user and SSH Key, which is what we will configure.

And, from this moment, when you access the server, you must access it with your private key and the password you configured when generating it.


About this document

This document is regulated by the EUPL v1.2 license, published in WP SysAdmin and created by Javier Casares. Please, if you use this content in your website, your presentation or any material you distribute, remember to mention this site or its author, and having to put the material you create under EUPL license.