What are SSH Keys?
SSH (Secure Shell) keys are a pair of cryptographic keys that can be used to authenticate to an SSH server as an alternative to password-based logins. SSH keys are more secure than passwords and provide a convenient way to log into servers and access Git repositories.
An SSH key pair consists of:
- Private key: Kept secret on your local machine
- Public key: Shared with servers and services you want to access
- Security: Much more secure than passwords
- Convenience: No need to type passwords repeatedly
- Automation: Enable automated scripts and deployments
- Audit Trail: Better tracking of who accessed what
Prerequisites
Before we begin, make sure you have:
- A computer with SSH client installed (built-in on Linux/macOS, available on Windows)
- Access to a terminal or command prompt
- A GitHub account (for Git setup)
- Access to a server (for server setup)
Generate SSH Key Pair
The first step is to generate a new SSH key pair on your local machine. We'll use the Ed25519 algorithm, which is more secure and faster than RSA.
Open Terminal
Open your terminal (Linux/macOS) or Git Bash (Windows). If you're on Windows and don't have Git Bash, you can use PowerShell or Command Prompt.
Generate the Key Pair
Run the following command, replacing the email with your own:
Terminalssh-keygen -t ed25519 -C "your_email@example.com"
If your system doesn't support Ed25519, use RSA instead:
Terminalssh-keygen -t rsa -b 4096 -C "your_email@example.com"
Choose File Location
When prompted for a file location, press Enter to use the default:
OutputEnter a file in which to save the key (/home/user/.ssh/id_ed25519): [Press enter]
Set a Passphrase
When prompted for a passphrase, enter a secure passphrase. This adds an extra layer of security to your private key:
OutputEnter passphrase (empty for no passphrase): [Type a passphrase] Enter same passphrase again: [Type passphrase again]
While you can leave the passphrase empty, it's highly recommended to use one. If someone gains access to your private key file, the passphrase provides an additional layer of protection.
Add Key to SSH Agent
The SSH agent manages your SSH keys and remembers your passphrase so you don't have to enter it every time.
Linux and macOS
# Start the SSH agent eval "$(ssh-agent -s)" # Add your SSH private key to the agent ssh-add ~/.ssh/id_ed25519
Windows (PowerShell)
# Start the SSH agent service Get-Service -Name ssh-agent | Set-Service -StartupType Manual Start-Service ssh-agent # Add your SSH private key to the agent ssh-add ~/.ssh/id_ed25519
Add Key to GitHub
To use SSH with GitHub, you need to add your public key to your GitHub account.
Copy Your Public Key
First, copy your public key to the clipboard:
Terminal# Linux (with xclip) xclip -selection clipboard < ~/.ssh/id_ed25519.pub # macOS pbcopy < ~/.ssh/id_ed25519.pub # Windows (PowerShell) Get-Content ~/.ssh/id_ed25519.pub | Set-Clipboard # Or simply display and copy manually cat ~/.ssh/id_ed25519.pub
Add Key to GitHub
Follow these steps in your web browser:
- Go to GitHub.com and sign in
- Click your profile picture → Settings
- In the left sidebar, click "SSH and GPG keys"
- Click "New SSH key"
- Give your key a descriptive title (e.g., "My Laptop")
- Paste your public key into the "Key" field
- Click "Add SSH key"
Add Key to Server
To use SSH keys for server access, you need to add your public key to the server's authorized_keys file.
Method 1: Using ssh-copy-id (Recommended)
If you have password access to the server, this is the easiest method:
ssh-copy-id username@server_ip_address
Method 2: Manual Copy
If ssh-copy-id is not available, you can manually copy the key:
# Copy your public key cat ~/.ssh/id_ed25519.pub # SSH into your server ssh username@server_ip_address # On the server, create .ssh directory if it doesn't exist mkdir -p ~/.ssh # Add your public key to authorized_keys echo "your_public_key_here" >> ~/.ssh/authorized_keys # Set correct permissions chmod 700 ~/.ssh chmod 600 ~/.ssh/authorized_keys
Method 3: Using SCP
You can also use SCP to copy the key:
# Copy public key to server scp ~/.ssh/id_ed25519.pub username@server_ip_address:~/ # SSH into server and add key ssh username@server_ip_address mkdir -p ~/.ssh cat ~/id_ed25519.pub >> ~/.ssh/authorized_keys chmod 700 ~/.ssh chmod 600 ~/.ssh/authorized_keys rm ~/id_ed25519.pub
Test SSH Connection
Now let's test that your SSH keys are working correctly.
Test GitHub Connection
ssh -T git@github.com
You should see a message like:
Hi username! You've successfully authenticated, but GitHub does not provide shell access.
Test Server Connection
ssh username@server_ip_address
You should be able to log in without entering a password (though you may need to enter your SSH key passphrase).
If you can connect without entering a password, your SSH keys are working correctly!
Security Best Practices
Follow these best practices to keep your SSH keys secure:
Key Management
- Use strong passphrases: Always protect your private keys with passphrases
- Keep private keys private: Never share your private key with anyone
- Use different keys for different purposes: Consider separate keys for work and personal use
- Regular rotation: Rotate your keys periodically (annually is a good practice)
File Permissions
Ensure your SSH files have the correct permissions:
# Set correct permissions for SSH directory and files chmod 700 ~/.ssh chmod 600 ~/.ssh/id_ed25519 chmod 644 ~/.ssh/id_ed25519.pub chmod 600 ~/.ssh/authorized_keys chmod 600 ~/.ssh/config
SSH Config File
Create an SSH config file to manage multiple keys and hosts:
# GitHub
Host github.com
HostName github.com
User git
IdentityFile ~/.ssh/id_ed25519
# Production Server
Host prod-server
HostName your-server.com
User your-username
IdentityFile ~/.ssh/id_ed25519
Port 22
# Development Server
Host dev-server
HostName dev.your-server.com
User dev-user
IdentityFile ~/.ssh/id_rsa_dev
Port 2222Server Security
On your servers, consider these additional security measures:
- Disable password authentication: Edit
/etc/ssh/sshd_configand setPasswordAuthentication no - Disable root login: Set
PermitRootLogin no - Change default SSH port: Use a non-standard port to reduce automated attacks
- Use fail2ban: Install fail2ban to block repeated failed login attempts
If you suspect your private key has been compromised, immediately remove the corresponding public key from all servers and services, generate a new key pair, and update all your configurations.
Conclusion
Congratulations! You've successfully set up SSH keys for secure authentication. SSH keys provide a much more secure and convenient way to access servers and Git repositories compared to passwords.
Key takeaways:
- SSH keys are more secure than passwords
- Always use passphrases to protect your private keys
- Keep your private keys secure and never share them
- Use SSH config files to manage multiple keys and hosts
- Follow security best practices on your servers
Next steps you might consider:
- Set up SSH key forwarding for accessing servers through jump hosts
- Learn about SSH certificates for enterprise environments
- Explore SSH tunneling for secure connections
- Set up automated key rotation
