ENG | Generating SSH keys for Enhanced Linux and Git Authentication
This concise tutorial illustrates the use of key-based authentication to access a Linux computer or Git repository using SSH keys.
Introduction
SSH, when used with key-based authentication, is highly secure and can be more secure than password-based authentication. This is because the private key that forms the basis of the SSH Key pair is typically stored securely on the client system and is not easily guessed or broken by brute force.
Generate key pair
- Generate a key pair. Consider using a password to secure your private keys.
- Append the newly generated public key to the
~/.ssh/authorized_keysfile. - Verify its functionality, at least locally.
IMPORTANT! Fedora 38 (and likely other modern distributions) does not accept RSA keys, which are created by default. Use either
ecdsa, or preferablyed25519.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
[pavel@marten -=- /home/pavel/.ssh]$ ssh-keygen -t ecdsa
Generating public/private ecdsa key pair.
Enter file in which to save the key (/home/pavel/.ssh/id_ecdsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/pavel/.ssh/id_ecdsa
Your public key has been saved in /home/pavel/.ssh/id_ecdsa.pub
The key fingerprint is:
SHA256:WgusdU9lhLHLn8mpIgCSV2onsWoHXN56fUSzxTXZenE pavel@marten
The key's randomart image is:
+---[ECDSA 256]---+
| ooooo |
| ... o.= ..oE|
|..o=. . = o . o|
|ooB..o + + . . |
| =.+. = S + . |
|.. o.+ * = o + |
|. . o.. o . * |
| . . . |
| . .. |
+----[SHA256]-----+
[pavel@marten -=- /home/pavel/.ssh]$ cat id_ecdsa.pub >> authorized_keys
[pavel@marten -=- /home/pavel/.ssh]$ ssh -i id_ecdsa [email protected]
Last login: Sat May 1 13:12:45 2023 from 85.160.49.106
[pavel@marten -=- /home/pavel]$
Public key (
id_*.pub) is associated with the target server (e.g. Linux PC, GitHub, etc.).
Private key (
id_*.) is personal to you, and it’s wise to protect it with a password. Keep away from unauthorized access ‼️
SSH on Windows
- Enable the
OpenSSH Authentication Agentservice and set it to start automatically. You can do this by searching forServicesin the start menu, scrolling to “OpenSSH …”, right-clicking for properties, and adjusting the settings accordingly (Startup: Automatic -> Apply -> Start). - Copy the key from the remote server to
c:\Users\<your-username>\.ssh\, e.g.scp <your-username>@<hostname>.xyz:~/.ssh/id_ecdsa $env:USERPROFILE\.ssh\id_ecdsa - Add the key to the Authentication Agent using the command
ssh-add $env:USERPROFILE\.ssh\id_ecdsa. - Login to the remote server
ssh <your-username>@<hostname>.xyz
WinSCP
- In the WinSCP login dialog, navigate trough the following menus: Session -> Edit -> Advanced -> SSH -> Authentication -> Private key file.
- Select your key (
c:\Users\<your-username>\.ssh\id_ecdsa), let WinSCP convert it to PuTTY’s PPK format, and save it. - The key (
c:\Users\<your-username>\.ssh\id_ecdsa.ppk) should now be selected.