1. Home
  2. Setting up SSH Keys

Setting up SSH Keys

Setting up SSH Keys
Setting up SSH Keys

SSH Keys and their role

SSH keys allow a more secure path of logging into a VPS (Virtual Private Server) with SSH as opposed to using a password alone.
However, a password can eventually be easily cracked with a brute force attack, SSH keys are close to impossible to decipher with brute force alone.
When you generate a key pair, it will provide you with two long strings of characters: one will be a public key and one a private key.
You may place your public key on any server that will unlock it by connecting to it using a client which already has the private key.
Whenever the two match up, your system unlocks without the requirement for a password.
Improve your security even more by protecting the private key using a passphrase.

1. Creating the RSA Key Pair

The first thing you want to do is to create the key pair on the client machine; this will most likely be on your computer.

ssh-keygen -t rsa

2. Storing your keys and Passphrase

After you have typed the Gen Key command, you should be presented with a couple of questions afterwards.
Enter file in which to save the key; ‘/home/demo/.ssh/id_rsa’.
What you need to do here is press enter in order to save the file to the user home.
Enter passphrase or leave it empty for no passphrase.
It is completely your choice if you would like to use a passphrase.
Using a passhrase will have its benefits such as the security of a key. It will not matter how it is encrypted, it will still depend on the fact that it will not be visible to anyone else.
If a passphrase-protected private key ever falls into an unauthorized users hands, then it will not let them login to its associated accounts until they find out the passphrase, giving the hacked user some extra time to fix the problem.
The only negative to having a passphrase is being required to type it in each time you use the Key pair.
Below is an example of how the entire key generation process looks.

ssh-keygen -t rsa

Enter file in which to save the key; ‘/home/demo/.ssh/id_rsa’.
Enter passphrase or leave it empty for no passphrase.
Enter the same passphrase again.
Your identification has been saved in ‘/home/demo/.ssh/id_rsa’.
Your public key has been saved in ‘/home/demo/.ssh/id_rsa.pub’.
The key fingerprint is as shown here.

Generating public/private rsa key pair.
4a:dd:0a:c6:35:4e:3f:ed:27:38:8c:74:44:4d:93:67 demo@a
The key's randomart image is:
+--[ RSA 2048]----+
| .oo.            |
| . o.E           |
| + . o           |
|   . = = .       |
| = S = .         |
| o + = +         |
| . o + o .       |
|     . o         |
|                 |

The public key is now located in ‘/home/demo/.ssh/id_rsa.pub‘ whereas the private key (identification) is now located in ‘/home/demo/.ssh/id_rsa’.

3. Copying the Public Key

After the key pair is generated, you will want to place the public key on the vps that you want to use.
You should copy the public key into the new machine’s ‘authorized_keys’ file with the ‘ssh-copy-id’ command.
Be sure to switch the example username and IP address below.

ssh-copy-id username@

You can also paste in the keys with SSH.

cat ~/.ssh/id_rsa.pub | ssh username@ "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

With any of the commands you choose to use, you should see something like the below.

The authenticity of host ' (' can't be established.
RSA key fingerprint is b1:2d:33:67:ce:35:4d:5f:f3:a8:cd:c0:c4:48:86:12.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '' (RSA) to the list of known hosts.
username@'s password:

Now try logging into the machine, with “ssh ‘username@′” and check in.


Make sure you have not added extra keys that you were not expecting.
You can now move on and login to the ‘username@′ and you should not be prompted for a password.
In case you have a passphrase set, you will be asked to enter the passphrase at that time and in whatever other time you login in the future.

Optional 4. Disabling the Password for Root Login

After you have copied your SSH keys onto your server and made sure that you can login with the SSH keys alone, you can and restrict the root login to only be allowed via SSH keys.
To do this, you will need to open up the SSH config file.

sudo nano /etc/ssh/sshd_config

Inside that file, you will need to find the line which includes ‘PermitRootLogin’ and edit it to make sure that users can only connect using their SSH key.

PermitRootLogin without-password

Put these changes into effect.

reload ssh


Everything should be in place now and working.

Updated on October 3, 2017

Was this article helpful?

Leave a Comment

[apsl-login-lite login_text='Please login with a social account']