Deploying SSH Keys To Your Server

I’ve yammered quite a bit about SSH and SSH key theory on this site. By now you should be itching to quit reading and start working, especially considering my glacial pace at wrapping this series up.

Previously in this series:

SSH Basics
SSH Key Theory
SSH Key Creation

In order for you to use a particular SSH key to login to a server, you need to have the private key on your local device or computer, and you need to have the public key stored on the server.

Remember, the private key is the one you hold close and the public key is the one you share to anyone who needs to authenticate you. The public key lets the server encrypt a message to you. You can decrypt the message with your private key and prove to the server that you must be you, since you are in possession of that private key.

There are a few steps we need to follow to get the server ready to accept our SSH key as our means of authentication for logging in:

  • Create a .ssh directory in our home directory on the server if it doesn’t already exist,
  • Set the permissions on the .ssh directory to 700 (rwx———),
  • Create a file called authorized_keys inside the .ssh directory,
  • Set the permissions on authorized_keys to 600 (rw———-),
  • Add our public key to the authorized_keys file.

You can do most of this in one fell swoop, but let’s take it one step at a time so that you understand exactly what we are putting in place.

SSH into your server using your account name and password:

ssh testdummy@server

You’ll be in your home directory by default. You can check this with a simple “pwd” command:

testdummy@server:~$ pwd
/home/testdummy
testdummy@server:~$  

Create the .ssh directory with the “mkdir” command:

testdummy@server:~$ mkdir .ssh
testdummy@server:~$ ls -la
total 24
drwxr-xr-x 3 testdummy testdummy 4096 Feb 22 23:21 .
drwxr-xr-x 9 root      root      4096 Feb 22 23:14 ..
-rw-r--r-- 1 testdummy testdummy  220 Feb 22 23:14 .bash_logout
-rw-r--r-- 1 testdummy testdummy 3771 Feb 22 23:14 .bashrc
-rw-r--r-- 1 testdummy testdummy  807 Feb 22 23:14 .profile
drwxrwxr-x 2 testdummy testdummy 4096 Feb 22 23:21 .ssh
testdummy@server:~$  

In my example above, after creating the .ssh directory, its permissions are set to 775 (rwxrwxr-x). SSH won’t actually work unless permissions are all set appropriately, so change the directory permissions on .ssh to 700 now:

testdummy@server:~$ chmod 700 .ssh
testdummy@server:~$ ls -la
total 24
drwxr-xr-x 3 testdummy testdummy 4096 Feb 22 23:21 .
drwxr-xr-x 9 root      root      4096 Feb 22 23:14 ..
-rw-r--r-- 1 testdummy testdummy  220 Feb 22 23:14 .bash_logout
-rw-r--r-- 1 testdummy testdummy 3771 Feb 22 23:14 .bashrc
-rw-r--r-- 1 testdummy testdummy  807 Feb 22 23:14 .profile
drwx------ 2 testdummy testdummy 4096 Feb 22 23:21 .ssh
testdummy@server:~$  

Change directory to your new .ssh directory:

testdummy@server:~$ cd .ssh
testdummy@server:~/.ssh$ pwd
/home/testdummy/.ssh
testdummy@server:~/.ssh$ 

Create a file called authorized_keys and set its permissions to 600:

testdummy@server:~/.ssh$ touch authorized_keys
testdummy@server:~/.ssh$ chmod 600 authorized_keys 
testdummy@server:~/.ssh$ ls -l
total 0
-rw------- 1 testdummy testdummy 0 Feb 22 23:27 authorized_keys
testdummy@server:~/.ssh$  

This file is used to indicate to your account what public SSH keys you are willing to accept and use in authenticating someone trying to login as you. The permissions have to be correct, and the public key for any key pair you want to authenticate using when you log into this account must be inside the the file.

Right now, authorized_keys is empty, but it won’t be for long.

Log off the server now by typing “exit” at the command prompt. You’re now back on your own Mac, and it’s time to copy the public key for the key pair that we generated previously up to the server.

In order to do this, we’ll use a utility called ssh-copy-id. ssh-copy-id is actually quite powerful and can even iterate through your available identities (read: any ssh keys you possess) and copy any that don’t work on a given server up to that server so that they will log you in. We don’t want that, we’re just going to use it to copy one specific public key to the server for us.

To copy a specific key to our account on the server use the following command:

ssh-copy-id -i testdummy testdummy@myserverdomain.com

This tells our Mac to run ssh-copy-id and to copy the testdummy identity or key to the user account testdummy on the server at myserverdomain.com.

The part that specifies which key to copy is the -i flag and the following key name.

When you run ssh-copy-id, you’ll be prompted for the password of the account you’re installing the public key for.

scott@Dragonfly:~/.ssh# ssh-copy-id -i testdummy testdummy@myserverdomain.com
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "testdummy.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
testdummy@myserverdomain.com's password: 

Number of key(s) added:        1

Now try logging into the machine, with:   "ssh 'testdummy@myserverdomain.com'"
and check to make sure that only the key(s) you wanted were added.

Now we can test our ssh login with the testdummy account using our key to see if it works.

scott@Dragonfly:~/.ssh# ssh -i testdummy testdummy@myserverdomain.com
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-66-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue 23 Mar 2021 11:34:19 PM PDT

  System load:           0.02
  Usage of /:            14.1% of 48.68GB
  Memory usage:          20%
  Swap usage:            2%
  Processes:             154
  Users logged in:       1
  IPv4 address for eth0: xxx.xxx.xxx.xxx
  IPv6 address for eth0: xxxx:xxxx::xxxx:xxxx:xxxx:xxxx

testdummy@dragonfly:~$  

In the above example, when I used the ssh command to ssh to the server, I specified the identity I wanted to use with the -i flag and the name of the ssh key (testdummy). The reason for this is that I have many different ssh keys on my Mac for different accounts and different servers and other computers. Later I’ll show you how to setup some shortcuts to handle which keys get used with which servers and accounts using an ssh config file on your Mac.

Now if we look at the authorized_keys file in testdummy’s .ssh directory on the server, we see that it contains testdummy’s public key:

root@server:/home/testdummy/.ssh# more authorized_keys 
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDLEpMj4HTUdzuTB+EKEORhDRYGdcYO5xQsYXee8Az+s scott@Dragonfly.local

Compare this to our public key on our Mac, and you’ll see they match:

scott@Dragonfly:~/.ssh# more testdummy.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDLEpMj4HTUdzuTB+EKEORhDRYGdcYO5xQsYXee8Az+s scott@Dragonfly.local
testdummy.pub (END) 

So far in this series on ssh, we’ve learned how to create ssh keys, how they work on the server, and how to copy a public key to a server.

Next time in this series, I’ll show you how to set up a config file on your Mac in your .ssh folder that will simplify the process of actually ssh-ing into a server and choosing which username and ssh key, or identity, to use when doing so. This becomes important when you have lots of accounts on various servers and you have different ssh keys for them.