Lesson 8.2: SSH Keys & Authentication

SSH keys are your digital identity. They're more secure than passwords, more convenient, and absolutely essential for professional work. Let's learn how to create and use them.

Think of it like this: SSH keys are like a special badge that proves who you are. The badge (public key) can be shared with servers, while your master key (private key) stays safely with you. No passwords needed!

Why Use SSH Keys?

SSH keys are better than passwords in every way:

More Secure: Much harder to crack than passwords
No Typing: Log in without entering passwords
Automation: Perfect for scripts and automated tasks
Professional: Standard practice in industry
Multiple Servers: One key works everywhere you add it

Security Fact: A 2048-bit SSH key would take trillions of years to crack with current technology. Your 8-character password? Minutes to hours.

How SSH Keys Work

SSH keys use public key cryptography. Here's the simple explanation:

Generate a Key Pair: You create two mathematically linked keys
Keep Private Key Secret: This stays on your computer, never share it!
Share Public Key: This goes on servers you want to access
Authentication: Server uses your public key to verify you have the private key

Analogy: Think of it like a lock and key. Your public key is the lock (can be copied to many doors), your private key is the only key that opens those locks. You never give away your key - you just install your locks on doors you want to open.

Generating Your First SSH Key

Let's create a new SSH key pair using the modern, secure Ed25519 algorithm:

# Generate a new SSH key pair
ssh-keygen -t ed25519 -C "valente@example.com"

Let's break down the options:

-t ed25519 - Use Ed25519 algorithm (modern, secure, fast)
-C "..." - Add a comment (usually your email) to identify the key

The Generation Process

You'll see prompts like this:

Generating public/private ed25519 key pair. Enter file in which to save the key (/home/valente/.ssh/id_ed25519):

Step 1: Press Enter to use the default location, or specify a custom path:

# Default (recommended for first key)
[Press Enter]

# Or custom path
/home/valente/.ssh/work_key

Enter passphrase (empty for no passphrase):

Step 2: Enter a strong passphrase (recommended) or leave empty:

With passphrase: Extra security - needed to use the key
Without passphrase: Convenient but less secure if laptop stolen

Best Practice: Use a passphrase! It adds an extra layer of security. You can use ssh-agent (covered later) to avoid typing it repeatedly.

Your identification has been saved in /home/valente/.ssh/id_ed25519 Your public key has been saved in /home/valente/.ssh/id_ed25519.pub The key fingerprint is: SHA256:abc123def456... valente@example.com The key's randomart image is: +--[ED25519 256]--+ | .o. | | . o | | . . . | | . . o | | . + o S | +----[SHA256]-----+

Success! You now have:

~/.ssh/id_ed25519 - Your private key (NEVER share!)
~/.ssh/id_ed25519.pub - Your public key (safe to share)

Alternative: RSA Keys

If connecting to older systems that don't support Ed25519, use RSA:

# Generate RSA key (use at least 2048 bits, 4096 is better)
ssh-keygen -t rsa -b 4096 -C "valente@example.com"

Viewing Your Keys

Check what keys you have:

# List all SSH keys
ls -la ~/.ssh/

# View your public key
cat ~/.ssh/id_ed25519.pub

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILong...RandomString...Here valente@example.com

This long string is what you'll copy to servers!

Copying Your Key to a Server

The easiest way to add your key to a server is using ssh-copy-id:

# Copy your public key to a server
ssh-copy-id valente@192.168.1.100

# Use specific key file
ssh-copy-id -i ~/.ssh/work_key.pub valente@myserver.com

You'll be asked for your password one last time:

/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s) valente@192.168.1.100's password: Number of key(s) added: 1 Now try logging into the machine with: "ssh 'valente@192.168.1.100'" and check to make sure that only the key(s) you wanted were added.

That's it! Now try connecting:

ssh valente@192.168.1.100

No password prompt! You're authenticated with your key.

Manual Method: Adding Keys

If ssh-copy-id isn't available, add your key manually:

# 1. Display your public key
cat ~/.ssh/id_ed25519.pub

# 2. Copy the entire output (starts with ssh-ed25519 or ssh-rsa)

# 3. Connect to the server
ssh valente@myserver.com

# 4. Create .ssh directory if needed
mkdir -p ~/.ssh
chmod 700 ~/.ssh

# 5. Add your public key to authorized_keys
nano ~/.ssh/authorized_keys
# Paste your public key on a new line

# 6. Set correct permissions
chmod 600 ~/.ssh/authorized_keys

# 7. Exit and test
exit
ssh valente@myserver.com

Permissions Matter! SSH is strict about file permissions for security. The .ssh directory must be 700, and authorized_keys must be 600. Wrong permissions = authentication fails!

Using SSH Agent

If you used a passphrase, you'll need to type it each time you use your key. SSH agent solves this:

# Start SSH agent
eval "$(ssh-agent -s)"

# Add your key to the agent
ssh-add ~/.ssh/id_ed25519

# Enter passphrase when prompted
# Now you won't need to type it again this session!

Agent pid 12345 Identity added: /home/valente/.ssh/id_ed25519 (valente@example.com)

List keys currently in the agent:

# See loaded keys
ssh-add -l

Auto-starting SSH Agent

To automatically start ssh-agent on login, add to your ~/.bashrc:

# Add to ~/.bashrc
if [ -z "$SSH_AUTH_SOCK" ]; then
   eval "$(ssh-agent -s)"
   ssh-add ~/.ssh/id_ed25519
fi

Managing Multiple Keys

You might have different keys for different purposes (work, personal, different servers):

# Generate keys for different purposes
ssh-keygen -t ed25519 -f ~/.ssh/work_key -C "work@company.com"
ssh-keygen -t ed25519 -f ~/.ssh/personal_key -C "personal@email.com"

# List your keys
ls ~/.ssh/

Configure which key to use for which host in ~/.ssh/config:

# ~/.ssh/config
Host workserver
    HostName work.example.com
    User valente
    IdentityFile ~/.ssh/work_key

Host personal
    HostName home.example.com
    User valente
    IdentityFile ~/.ssh/personal_key

Now SSH automatically uses the right key:

ssh workserver    # Uses work_key
ssh personal      # Uses personal_key

Key Security Best Practices

✅ Do:

Use strong passphrases on private keys
Keep private keys on your computer only
Use Ed25519 for new keys (modern and secure)
Set correct file permissions (700 for .ssh/, 600 for keys)
Use ssh-agent to avoid typing passphrase repeatedly
Create different keys for different purposes
Regularly rotate keys (generate new ones)

❌ Don't:

Never share your private key with anyone
Don't store private keys in cloud storage
Don't email private keys
Don't use the same key everywhere
Don't leave private keys on shared computers
Don't ignore file permission warnings

If Your Key is Compromised: If you think your private key was stolen or exposed, immediately remove the corresponding public key from all servers' authorized_keys files and generate a new keypair.

Removing SSH Keys from Servers

To revoke access, remove your public key from the server:

# Connect to the server
ssh valente@myserver.com

# Edit authorized_keys
nano ~/.ssh/authorized_keys

# Delete the line with your public key
# Save and exit

# Or remove all keys at once
rm ~/.ssh/authorized_keys

Troubleshooting SSH Keys

Still Asking for Password

If SSH still asks for a password after adding your key:

# Check permissions on client
ls -la ~/.ssh/
# Should be: drwx------ (700)
chmod 700 ~/.ssh
chmod 600 ~/.ssh/id_ed25519
chmod 644 ~/.ssh/id_ed25519.pub

# Check server-side permissions
ssh valente@myserver.com "ls -la ~/.ssh/"
# Should be:
#   drwx------ .ssh/
#   -rw------- authorized_keys

# Fix server permissions
ssh valente@myserver.com "chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys"

Verbose Mode for Debugging

# See detailed authentication process
ssh -vvv valente@myserver.com

Test Which Keys Are Offered

# See what keys SSH is trying to use
ssh -v valente@myserver.com 2>&1 | grep "identity file"

Quick Reference

# Generate new key (Ed25519 - recommended)
ssh-keygen -t ed25519 -C "your_email@example.com"

# Generate RSA key (legacy systems)
ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

# Copy key to server
ssh-copy-id username@hostname

# Add key to ssh-agent
eval "$(ssh-agent -s)"
ssh-add ~/.ssh/id_ed25519

# List keys in agent
ssh-add -l

# View public key
cat ~/.ssh/id_ed25519.pub

# Test connection with specific key
ssh -i ~/.ssh/custom_key username@hostname

Practice Exercise

Try these tasks to master SSH keys:

Generate a new Ed25519 SSH keypair with a passphrase
Use ssh-copy-id to add your key to a test server
Connect without entering a password
Set up ssh-agent to cache your passphrase
Create an SSH config entry for your test server
Generate a second key for a different purpose
Practice removing and re-adding keys to authorized_keys

Pro Tip: Most developers have at least 2-3 SSH keys: one for personal projects, one for work, and maybe one for automated systems. Keep them organized!

Key Takeaways

SSH keys are more secure and convenient than passwords
Public key goes on servers, private key stays on your computer
Use Ed25519 algorithm for new keys (or RSA 4096-bit for legacy)
Protect private keys with passphrases
Use ssh-agent to avoid repeated passphrase typing
File permissions are critical for SSH security
Never share your private key with anyone

Next Up: Now that you can securely connect to remote systems, let's learn how to transfer files between them using SCP!