By enlisting the help of the network protocol SSH, secure and encrypted network con­nec­tions can be created on remote devices, such as a server. This SSH con­nec­tion allows users to carry out main­te­nance pro­ce­dures via command or directly from local computers. And depending on the protocol version being used, different en­cryp­tion al­go­rithms may be employed – SSH-2, for example, uses per default AES. Before the con­nec­tion can be encrypted, a suc­cess­ful au­then­ti­ca­tion needs to be carried out. While the server issues a security cer­tifi­cate for the client, there are actually many ways to register the client onto the server. In addition to popular options of user names and passwords, opting for a key pair also proves popular, due to the fact that its com­po­si­tion in­cor­po­rates both private and public SSH keys.

Public key au­then­ti­ca­tion

Au­then­ti­ca­tion methods with SSH keys, also referred to as public key au­then­ti­ca­tions, are ad­van­ta­geous compared to standard password login. This method does not save used passwords on the server; instead they are only stored on public keys. This allows the private SSH key to remain safely and securely stored on one’s own computer. Such keys can be encrypted with an ID. The public key is able to verify sig­na­tures that have been generated with SSH keys, thus allowing automatic reg­is­tra­tion onto the server. Should unau­tho­rized users gain access to the public key, de­ci­pher­ing the private variant based on this in­for­ma­tion is virtually im­pos­si­ble. As a result, relying on a key pair for SSH con­nec­tion frees users from having to go through a reg­is­tra­tion dialog and also provides more robust security.

Switch to SSH keys–here’s how to do it

Taking full advantage of SSH con­nec­tions requires an SSH package, such as OpenSSH for Unix, WinSCP for Windows, or PuTTY for both Unix and Windows operating systems. In addition to SSH protocol, these packages use ap­pli­ca­tions that can generate SSH keys. The following step-by-step guide lays out how to set up keys pairs with OpenSSH and PuTTY.

SSH keys with OpenSSH con­fig­u­ra­tion

  1. For starters, the SSH key needs to be generated by entering the following command:

    ssh-keygen -t rsa -b 4096

    These pa­ra­me­ters determine the kind of en­cryp­tion to be used, which in this par­tic­u­lar case is RSA, and the key length (-b), although the maximum value may not exceed 4096. If no spec­i­fi­ca­tions are given, then standard settings will be used for gen­er­at­ing the key.

  2. The following dialog allows users to see and change the directory in which the SSH key is to be stored (“Enter file in which to save the key”). A passphrase for a private key can also be defined at this point (“Enter passphrase”). If you opt for using the standard directory and do not wish to create a label for your key, then leave these boxes empty and skip by pressing enter.

  3. Both SSH keys are now stored in different files in the above­men­tioned directory. The file id_rsa.pub contains the public key that now needs to be recorded onto the server in the subfolder .ssh’s file, au­tho­rized_keys. On the server, move the key into the home directory of the re­spec­tive user:

    scp ~/.ssh/id_rsa.pub USER@HOST.com

  4. Log onto the server and copy the public SSH key into the right folder:

    ssh USER@HOST.com
    cat ~/id_rsa.pub >> ~/.ssh/au­tho­rized_keys

  5. Now the key pair as well as the passphrase (should it be defined) should both be au­to­mat­i­cal­ly used during the con­struc­tion of the SSH con­nec­tion. If this is not the case, then check to see if the rights for the folder .ssh and the file au­tho­rized_keys have been properly affixed.

  6. Given that public key au­then­ti­ca­tion replaces normal password au­then­ti­ca­tion, users are able to turn off the standard procedure in the SSH con­fig­u­ra­tion file /etc/ssh/sshd_config (or also directly under /etc/, z. B. in Cygwin). Change the line “Pass­wor­dAu­then­ti­ca­tion yes” to, you guessed it, “Pass­wor­dAu­then­ti­ca­tion no” and then restart the server.

Generate SSH key with the PuTTY Key Generator

  1. Those using a PuTTY to establish an SSH con­nec­tion have the option of employing the default tool PuTTYgen for gen­er­at­ing key pairs. The Putty Key Generator can be found in the same directory where you installed PuTTY. Should the tool be missing, then simply download it from the PuTTY download page: PuTTY Download Page

  2. After getting started, select under “Pa­ra­me­ters” the type of en­cryp­tion you wish to use. For SSH-2, users are able to choose between RSA and DAS. Define the length of your desired key under “Number of bits in a generated key”.

  3. Next, click on “Generate” and move the cursor into the empty space of the dialog box back and forth to guarantee the in­di­vid­u­al­i­ty of the code.

  4. Once you’ve finished gen­er­at­ing the key, you now have the pos­si­bil­i­ty of equipping the key pair with a comment and a passphrase.

  5. Save both SSH keys by clicking “Save private key” and “Save public key”.

  6. In order to transfer the public key onto the server, connect to PuTTY with it and then copy the code from the clipboard. ("Public key for pasting into OpenSSH au­tho­rized_keys file") and paste it into the au­tho­rized_keys file.

  7. For the last step, enter the private SSH key into the PuTTY client. Open the con­fig­u­ra­tion menu and select under "Category" > "Con­nec­tion" > "SSH" > "Auth" > "Private key file au­then­tifi­ca­tion" the file of the private key.

Want to make your website more secure? Learn more about SSL cer­tifi­cates from IONOS and how they increase your site’s trust­wor­thi­ness.

Go to Main Menu