Secure Shell (SSH) is a cryptographic network protocol used for secure connection between a client and a server and supports various authentication mechanisms. SSH uses public-key cryptography to authenticate the remote computer and allow it to authenticate the user, if necessary.
There are several ways to use SSH; one is to use automatically generated public-private key pairs to simply encrypt a network connection, and then use password authentication to log on. Another is to use a manually generated public-private key pair to perform the authentication, allowing users or programs to log in without having to specify a password. In this scenario, anyone can produce a matching pair of different keys (public and private). The public key is placed on all computers that must allow access to the owner of the matching private key (the owner keeps the private key secret). While authentication is based on the private key, the key itself is never transferred through the network during authentication. SSH only verifies whether the same person offering the public key also owns the matching private key.
Set up public-key authentication using SSH on a Linux or macOS computer
To set up public-key authentication using SSH on a Linux or macOS computer:
Log into the computer you'll use to access the remote host, and then use command-line SSH to generate a key pair using the RSA algorithm. To generate RSA keys, on the command line, enter:
- You will be first prompted to provide a filename to store the public/private key, hit Enter or Return to accept the default value
You will then be prompted to enter a passphrase. If you hit Enter or Return, you will create a passwordless key pair. You will find plenty of online resources that suggest creating a passwordless key pair. From a security prespective, this is NOT RECOMMENDED. Please consider adding a passphrase.
ssh-copy-idcommand is available on your system, then you can copy your public key using the command
Alternatively, copy the public key to your account on the remote system using SFTP or SCP.
Login to the remote system and add the contents of your public key file (
~/id_rsa.pub) to a new line in your
If you login to the remote system, it will prompt you to enter the passphrase for the key pair rather than the password on the remote system. You have three chances to enter the correct passphrase before it defaults to the account password. To login to the remote system without entering your password or passphrase, use the credential manager,
It is a good security practice to change the key pair passphrase regularly just as you regularly change your password.
- If you have an existing key pair that does not contain a password, then you can add a password using the command
ssh-keygen -p -f <path to private key>
Using ssh-agent and ssh-add to manage passwords
ssh-agent is a key manager for SSH. It holds your keys and certificates in memory, unencrypted, and ready for use by ssh. The
ssh-add command prompts the user for a private key password and adds it to the list maintained by
ssh-agent. Once you add a password to ssh-agent, you will not be prompted for it when using SSH or SCP to connect to hosts with your public key.
At the prompt, enter
Use backtics (`) rather than the single quote (')
ssh-addto add credentials to
ssh-agent. It's good security to give a lifetime to your saved credential. By default, the lifetime is the length of time the terminal is open. When prompted, enter the passphrase for the private key.
For the next 1 hour (assuming previous command), you can login to Sol or any remote system on which the public key pair is saved without entering your password
To see a list of keys added to your agent, use the command
To delete all saved keys, use the command
If you have saved multiples keys and want to delete only one key, then use the command
ssh-add -d <private key>. For e.g.
Best Security Practices
- Always protect your key pair with a passphrase.
- Use a strong passphrase just as you would for your password.
- Do not use your password as your passphrase.
- Do not write your password/passphrase and store at a place that anyone can access for e.g. post-it note on your monitor.
- Verify only your account has access to ssh keys by running
chmod 700 ~/.ssh.
- Never share your private key and/or your passphrase/password.
- Always store your credentials in
ssh-agentwith a definite lifetime.
- Change your passphrase as regularly as you change your password.
- Do not use reuse your password and passphrase.
- Limit the number of systems that you log in from.