SSH Public/Private Keys Explained

I decided to write this post mainly because during my career, I’ve experienced many people not understanding private/public keys, the different uses, when and when not to use them.

This article is going to cover public/private key pairs to use only with SSH, but there are many uses for public/private key pair, however, they are beyond the scope of this article.

In the most simpler terms, a private/public key pair can be considered like a door lock and a key, the door lock can be compared to the public key, and the key to the provate key. Everyone can see the door lock, but only the key can open it, you need both to be able to unlock the door.

Now, let’s discuss how on a Linux machine, the keypair is generated. This post assumes that you are logged in to a Linux or equivalent machine. From the “$” prompt, type the following command:

ssh-keygen -b 4096 -t rsa

An output similar to the following should be shown:

Generating public/private rsa key pair.
Enter file in which to save the key (/home/ubuntu/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/ubuntu/.ssh/id_rsa
Your public key has been saved in /home/ubuntu/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:99Xv+EKmZI915JoxhkzXEcnPARLiEAuMiAbuXZ9rAH4 ubuntu@minecraft-server
The key's randomart image is:
+---[RSA 4096]----+
|+ . o. o.. o..o.o|
|oo . .. + . . = |
|.. . . . . o+|
|. o o . . . ..=|
| . o E oS .o o.o.|
| . . .. .=.B +|
| o o.O *.|
| . o =o |
| .oo|
+----[SHA256]-----+

Two files are generated by the above command: id_rsa and id_rsa.pub, and they are saved into the .ssh hidden directory in your HOME directory by default. The command prompts you where to save it if not the default.

The other thing that the command asks you to provide is password to protect the private key. A password for the private key can be seen as a passcode protected lockbox for the actual key. This helps to protect the private key if needed. There are instances in which I use a password and instances that i do not. I would consider using a password if the key is a personal key to log into different devices. I would not consider using a password if the private key will be used with a batch process. If you do not know the differences between the two, do not worry, you are free to generate as many keys as you’d like, so don’t use a password for this exercise..

How that you have the two files, you can authorize a key access for the system you can login with a username and password by following this process:

Let’s say that you have a Linux server with a username/password. Now you would like to simplify your access to it. In order to do that, you will perform the following actions:

  • Copy the content of the file id_rsa.pub. Login to the machine you would like to login to, and place the file content into the directory .ssh in a file called authorized_keys.
  • Make sure the directory .ssh has a 700 permission and the authorized_keys file has a permission of 600. Use the chmod command to change permission if necessary.
  • Now this post assumes that you are also connecting from a Linux server, if you use the same server that you generated the files, then all you have to do is the following command:

ssh user@hostname-ip

  • If you are using another system, copy the id_rsa file to the system and place it in the .ssh directory. You can have other private keys, but you will have to use the -i CLI switch pointing to the actual private key you would like to use. Should your provate key have password, the prompt will appear before the connection is attempted.

Now you should see that will not be prompted for authentication from the target server and go straight to a prompt. If you are prompted for a password, then make sure all the steps are followed. Troubleshooting ssh connections goes beyond the scope of this article abd based on the actual error received, there is plenty of help on the internet.

I hope this article helped to clarify SSH public/private keypairs…

Thank you for reading and type away…

Leave a Reply