Quick Links

Take cybersecurity seriously and use SSH keys to access remote logins. They're a more secure way to connect than passwords. We show you how to generate, install, and use SSH keys in Linux.

What's Wrong With Passwords?

Secure shell (SSH) is the encrypted protocol used to log in to user accounts on remote Linux or Unix-like computers. Typically such user accounts are secured using passwords. When you log in to a remote computer, you must provide the user name and password for the account you are logging in to.

Passwords are the most common means of securing access to computing resources. Despite this, password-based security does have its flaws. People choose weak passwords, share passwords, use the same password on multiple systems, and so on.

SSH keys are much more secure, and once they're set up, they're just as easy to use as passwords.

What Makes SSH Keys Secure?

SSH keys are created and used in pairs. The two keys are linked and cryptographically secure. One is your public key, and the other is your private key. They are tied to your user account. If multiple users on a single computer use SSH keys, they will each receive their own pair of keys.

Your private key is installed in your home folder (usually), and the public key is installed on the remote computer---or computers---that you will need to access.

Your private key must be kept safe. If it is accessible to others, you are in the same position as if they had discovered your password. A sensible---and highly recommended---precaution is for your private key to be encrypted on your computer with a robust passphrase.

The public key can be shared freely without any compromise to your security. It is not possible to determine what the private key is from an examination of the public key. The private key can encrypt messages that only the private key can decrypt.

When you make a connection request, the remote computer uses its copy of your public key to create an encrypted message. The message contains a session ID and other metadata. Only the computer in possession of the private key---your computer---can decrypt this message.

Your computer accesses your private key and decrypts the message. It then sends its own encrypted message back to the remote computer. Amongst other things, this encrypted message contains the session ID that was received from the remote computer.

The remote computer now knows that you must be who you say you are because only your private key could extract the session Id from the message it sent to your computer.

Make Sure You Can Access The Remote Computer

Make sure you can remotely connect to, and log into, the remote computer. This proves that your user name and password have a valid account set up on the remote computer and that your credentials are correct.

Don't try to do anything with SSH keys until you have verified you can use SSH with passwords to connect to the target computer.

In this example, a person with a user account called dave is logged in to a computer called

        howtogeek
    

. They are going to connect to another computer called Sulaco.

They enter the following command:

ssh dave@sulaco

ssh dave@sulaco in a terminal window

They are asked for their password, they enter it, and they are connected to Sulaco. Their command line prompt changes to confirm this.

user dave connected to sulaco using ssh and a password

That's all the confirmation we need. So user dave can disconnect from Sulaco with the exit command:

exit

user dave disconnected from sulaco

They receive the disconnect message and their command line prompt returns to dave@howtogeek.

Related: How to Connect to an SSH Server from Windows, macOS, or Linux

Creating a Pair of SSH Keys

These instructions were tested on Ubuntu, Fedora, and Manjaro distributions of Linux. In all cases the process was identical, and there was no need to install any new software on any of the test machines.

To generate your SSH keys, type the following command:

ssh-keygen

ssh-keygen in a terminal window

The generation process starts. You will be asked where you wish your SSH keys to be stored. Press the Enter key to accept the default location. The permissions on the folder will secure it for your use only.

Confirmation of ssh key storage location in a terminal window

You will now be asked for a passphrase. We strongly advise you to enter a passphrase here. And remember what it is! You can press Enter to have no passphrase, but this is not a good idea. A passphrase made up of three or four unconnected words, strung together will make a very robust passphrase.

Prompt for passphrase in a terminal window

You will be asked to enter the same passphrase once more to verify that you have typed what you thought you had typed.

The SSH keys are generated and stored for you.

Keys generation completed and random art displayed in a terminal window

You can ignore the "randomart" that is displayed. Some remote computers might show you their random art each time you connect. The idea is that you will recognize if the random art changes, and be suspicious of the connection because it means the SSH keys for that server have been altered.

Installing the Public Key

We need to install your public key on Sulaco , the remote computer, so that it knows that the public key belongs to you.

We do this using the ssh-copy-id command. This command makes a connection to the remote computer like the regular ssh command, but instead of allowing you to log in, it transfers the public SSH key.

ssh-copy-id dave@sulaco

ssh-copy-id dave@sulaco in a terminal window

Although you are not logging in to the remote computer, you must still authenticate using a password. The remote computer must identify which user account the new SSH key belongs to.

Note that the password you must provide here is the password for the user account you are logging into. This is not the passphrase you have just created.

ssh-copy-id with password prompt ina terminal window

When the password has been verified, ssh-copy-id transfers your public key to the remote computer.

You are returned to the command prompt of your computer. You are not left connected to the remote computer.

ssh dave@sulaco in a terminal window

Connecting Using SSH Keys

Let's follow the suggestion and try to connect to the remote computer.

ssh dave@sulaco

ssh dave@sulaco in a terminal window

Because the process of connection will require access to your private key, and because you safeguarded your SSH keys behind a passphrase, you'll need to provide your passphrase so that the connection can proceed.

ssh dave@sulaco in a terminal window

Enter your passphrase and click on the Unlock button.

Once you've entered your passphrase in a terminal session, you will not have to enter it again for as long as you have that terminal window open. You can connect and disconnect from as many remote sessions as you like, without entering your passphrase again.

You could tick the checkbox for the "Automatically unlock this key whenever I'm logged in" option, but it will reduce your security. If you leave your computer unattended, anyone can make connections to the remote computers that have your public key.

Once you enter your passphrase, you are connected to the remote computer.

ssh dave@sulaco in a terminal window

To verify the process once more end to end, disconnect with the exit command and reconnect to the remote computer from the same terminal window.

ssh dave@sulaco

ssh dave@sulaco in a terminal window

You will be connected to the remote computer without the need for a password or passphrase.

No Passwords, But Enhanced Security

Cybersecurity experts talk about a thing called security friction. That's the minor pain that you need to put up with to get the gain of additional security. There's usually some extra step or two required to adopt a more secure method of working. And most people don't like it. They actually prefer lower security and the lack of friction. That's human nature.

With SSH keys, you get increased security and an increase in convenience. That's a definite win-win.