Using key pairs with SSH

The Secure Shell (SSH) protocol provides a means one can use for secure, encrypted connections between systems for logins or file transfers. One can use a username and password to login from an SSH client to an SSH server or one can use a public and private key combination where a public key for a user's account is stored on a remote SSH server while a corresponding private key is stored on the system from which the user will initiate the SSH or SFTP connection. On Linux systems, private keys are normally stored in the .ssh directory beneath the home directory for your account. If you haven't created any keys yet, the directory may only contain a known_hosts file that contains public keys for servers you've previously logged into via SSH.

$ ls .ssh

That directory should have file permissions that only grant access to the user.

$ ls -ld .ssh
drwx------. 2 abe abe 54 Jan 23 12:54 .ssh

You can change the permissions with chmod 700 ~/.ssh, if needed.

Use the ssh-keygen utility to generate an RSA key pair for version 2 of the SSH protocol.

$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/abe/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/abe/.ssh/id_rsa.
Your public key has been saved in /home/abe/.ssh/
The key fingerprint is:
The key's randomart image is:
+--[ RSA 2048]----+
|     .+=*..      |
|     .==E*. o    |
|     .o*.+o=     |
|      o ..=      |
|        S. .     |
|          .      |
|                 |
|                 |
|                 |

After you generate the key pair, you will see two other files in the ~/.ssh directory.

$ ls -l .ssh
total 12
-rw-------. 1 abe abe 1766 Jan 23 12:54 id_rsa
-rw-r--r--. 1 abe abe  408 Jan 23 12:54
-rw-r--r--. 1 abe abe 2370 Apr 30  2017 known_hosts

The id_rsa file, which should be accessible only by the user, contains the private key while the file contains the public key, which can be placed on other servers that you wish to access via SSH. The contents of that public key file have to be placed in the ~/.ssh/authorized_keys file on the remote SSH server under the account you wish to log into on that server. If that file already exists, append the key in at the end of the file. If you need to create that file, it should only have read and write access by the user's account and should not be accessible by others. You can change the permission, if needed, using chmod 600 ~/.ssh/authorized_keys. Alternatively, you can use the ssh-copy-id utility to copy the new public key to the authorized_keys file on the remote server. E.g., ssh-copy-id username@remote_address where username is the user account on the remote system that you wish to log into - it doesn't necessarily have to be the same user name as the one you are using on the local system - and remote_address is the fully qualified domain name (FQDN) or IP address of the remote SSH server. When you issue the command, it is normal to see the message "The authenticity of host" can't be established if you haven't previously connected to it. If you haven't previously connected to it and type "yes", the public key of the remote SSH server will be added to the end of the ~/.ssh/known_hosts file. You will be prompted to provide the password to log into the remote system, since you won't have your new public key in that server's authorized_keys file yet.

Introduction to Encryption - Terminology and Technology
Introduction to Encryption
Terminology and Technology
1x1 px

$ ssh-copy-id
The authenticity of host ' (' can't be established.
ECDSA key fingerprint is 9e:8f:52:0e:d6:87:da:7d:e6:21:e2:e8:f5:ca:d4:c1.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter 
out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompt
ed now it is to install the new keys's password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh ''"
and check to make sure that only the key(s) you wanted were added.


If you then try logging into the remote SSH server via SSH, if you set a passphrase for the private key file, you will see a prompt such as "Enter password to unlock the private key", but you won't see a password prompt for the remote SSH server.

If you ever want to remove the passphrase protection from the private key file, you can do so with ssh-keygen -p. You will be prompted to provide the current passphrase and a new passphrase. To have no passphrase protection, just hit enter when prompted to enter the new passphrase.

VPNs for Beginners
VPNs for Beginners

$ ssh-keygen -p
Enter file in which the key is (/home/abe/.ssh/id_rsa): 
Enter old passphrase: 
Key has comment '/home/abe/.ssh/id_rsa'
Enter new passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved with the new passphrase.

If you don't have passphrase protection, you will automatically get the shell prompt on the remote system if you are logging in via SSH.

$ ssh
Last login: Tue Jan 23 18:42:08 2018 from

Or a file or files will automatically be transferred without a password prompt if you are using sftp to transfer files from the remote to the local system.

$ sftp
Connected to
Fetching /home/abe/temp/lvm.txt to lvm.txt
/home/abe/temp/lvm.txt                        100%  469     0.5KB/s   00:00