SSH Public Key Authentication
Public key authentication (PKA) is a mechanism that provides
- improved security via two factor authentication and
- better ease of use
when logging tools like ssh
, scp
and sftp
. Security is improved as PKA requires you to both own the correct private key (1st factor) and the private key's password. Usability is better as it is possible to set up ssh-agent
to hold private keys used for PKA.
Creating a Public/Private Key Pair
To create a new (ed25519) key, type
ssh-keygen -t ed25519
During the creation, you will be asked to enter a password for the key. Note that when you type this password, nothing will be echoed to stdout
for security reasons (no asterisk characters). The output you'll see is similar to the following if successful.
Enter file in which to save the key (/home/$USER/.ssh/id_ed25519):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/$USER/.ssh/id_ed25519
Your public key has been saved in /home/$USER/id_ed25519.pub
The key fingerprint is:
SHA256:Od8mqEP/E/2NYkqtXsGfsCdUFNA8YBE7KB7HIoooEYI $USER@$HOST
The key's randomart image is:
+--[ED25519 256]--+
|+ *Bo. |
|E. . o o+ |
|. . + + o .. |
| o . . o * . o |
|o . . S .= |
|. . +.+.= . |
| . .. +.B.+o |
| .....=ooo .|
| .. o=+ . |
+----[SHA256]-----+
Once the keypair is created, you can start using it.
Installing a Public Key on a Server
To move your public key to an ssh server, use the ssh-copy-id
tool. For example, after having configured your connection, type
ssh-copy-id sandbox
You'll have to enter your user's password on the target server. After this step, you will be able to log in to the server using PKA. As soon as you type
ssh sandbox
you'll have to enter your key's password instead of your user password. This improved overall security, but didn't make logging in easier.
Using ssh-agent
The ssh-agent
tool holds your private keys. You can store your ssh identities in this authentication agent to avoid having to type they key password upon every remote login. When using an X window session, it is usually enough to issue
ssh-add
This will prompt for your private key's password. Afterwards, you'll be able to use that private key without entering any password. You can hence log in to or use scp
and sshfs
as you desire without entering a password. This will work for all servers having received your public key via ssh-copy-id
as outlined above.