Howto Set Up SSH Keys


SSH keys provide a more secure way of logging into a virtual private server with SSH than using a password alone. It allows user to access to the server with authorized_keys instead of using password. While a password can eventually be cracked with a brute force attack, SSH keys are nearly impossible to decipher by brute force alone. Generating a key pair provides you with two long string of characters: a public and a private key. You can place the public key on any server, and then unlock it by connecting to it with a client that already has the private key. When the two match up, the system unlocks without the need for a password. You can increase security even more by protecting the private key with a passphrase.

Step 1: Creating Your Personal Key
Open a terminal/shell and run the following command:

ssh-keygen -t rsa

You will be asked where you would like to save the key. The default setting is normally acceptable (just press enter to accept the default), but if you are setting up a key as a root user you may want to store your key in a different location.

Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):

You will be prompted to enter a passphrase. If you choose to use a passphrase you will need to type it in every time you use the key to connect to a server (spaces are ok to use, so your passphrase can be an entire sentence if it makes it easier for you to use it). You can choose not to use a passphrase but this is generally considered less secure.

The entire key generation process looks like this:

Generating public/private rsa key pair.
Enter file in which to save the key (/home/demo/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/demo/.ssh/id_rsa.
Your public key has been saved in /home/demo/.ssh/
The key fingerprint is:
4a:dd:0a:c6:35:4e:3f:ed:27:38:8c:74:44:4d:93:67 root@node2
The key's randomart image is:

Note: You can change your passphrase at any time using the command:

sshkeygen -p

Step 2: Copying Your Personal Key To The Server
Before we copy your new public key to your server we will add it to the local authorized_keys file.

cd ~/.ssh
cp authorized_keys

If the authorized_keys file already exists on your local machine you will need to open the file with your favorite text editor and add the key by hand.

Now we will copy your public key to the server. In a typical server every user on the server has their own .ssh directory and their own authorized_keys file. Assuming that your user accounts are located in /home you will need to determine what user you want to login as before you copy your public key. The root user is slightly different. In most servers the root user’s ssh files are stored in /root/.ssh/.

cd ~/.ssh
scp authorized_keys

OR you can copy the public key into the new machine’s authorized_keys file with the ssh-copy-id command. Make sure to replace the example username and IP address below.

ssh-copy-id user@

Alternatively, you can paste in the keys using SSH:

cat ~/.ssh/ | ssh user@ "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

NOTE: Just like with your local copy, if the authorized_keys file already exists on the server you will need to add the new key to the file by hand. Remember to backup the authorized_keys in your server first before you copy it using ssh. It will replace the authorized_keys on your server. I advise you to manually edit the authorized_keys on your server instead of copy using ssh.

Step 3: Logging In With Your New Key
Now that your new key has been copied to the server you can start using it for SSH logins. If your user name is the same on your local machine and on your server, you can connect simply with:


If your local user name and server user name are different, you can specify the user to login as using the command:



This entry was posted in Linux and tagged , , . Bookmark the permalink.