- Step 2: Create Your SSH Key Pair. Type the following command at the prompt then press enter. Ssh-keygen -b 4096. When prompted for the file in which to save the key, press enter. The default location will be created. Keep default values and no need for a pass phrase. You now have an SSH key. The whole process will look like this.
- Generate SSH keys on Linux/Mac. Generate a public/private key pair: Log in to the computer you will use to access Sitehost, and then use the command line to generate a key pair. To generate RSA keys, on the command line, enter: ssh-keygen -t rsa; You will be prompted to supply a filename (for saving the key pair) and a passphrase (for.
- The simplest way to generate a key pair is to run ssh-keygen without arguments. In this case, it will prompt for the file in which to store keys.
With a secure shell (SSH) key pair, you can create a Linux virtual machine that uses SSH keys for authentication. This article shows you how to create and use an SSH RSA public-private key file pair for SSH client connections.
If you want quick commands, see How to create an SSH public-private key pair for Linux VMs in Azure.
To create SSH keys and use them to connect to a from a Windows computer, see How to use SSH keys with Windows on Azure. You can also use the Azure portal to create and manage SSH keys for creating VMs in the portal.
You can execute ssh-keygen without any arguments which will generate key pairs by default using RSA algorithm The tool will prompt for the location to store the RSA key pairs. The default location would be inside user's home folder under.ssh i.e. /.ssh The tool will create /.ssh if the directory does not exists already. You can generate an SSH key pair directly in Site Tools, or you can generate the keys yourself and just upload the public one in Site Tools to use with your hosting account. When generating SSH keys yourself under Linux, you can use the ssh-keygen command. To do so follow these steps: Open up the Terminal.
Overview of SSH and keys
SSH is an encrypted connection protocol that provides secure sign-ins over unsecured connections. SSH is the default connection protocol for Linux VMs hosted in Azure. Although SSH provides an encrypted connection, using passwords with SSH connections still leaves the VM vulnerable to brute-force attacks. We recommend connecting to a VM over SSH using a public-private key pair, also known as SSH keys.
The public key is placed on your Linux VM.
The private key remains on your local system. Protect this private key. Do not share it.
When you use an SSH client to connect to your Linux VM (which has the public key), the remote VM tests the client to make sure it has the correct private key. If the client has the private key, it's granted access to the VM.
Depending on your organization's security policies, you can reuse a single public-private key pair to access multiple Azure VMs and services. You do not need a separate pair of keys for each VM or service you wish to access.
Your public key can be shared with anyone, but only you (or your local security infrastructure) should have access to your private key.
Supported SSH key formats
Azure currently supports SSH protocol 2 (SSH-2) RSA public-private key pairs with a minimum length of 2048 bits. Other key formats such as ED25519 and ECDSA are not supported.
SSH keys use and benefits
When you create an Azure VM by specifying the public key, Azure copies the public key (in the .pub format) to the ~/.ssh/authorized_keys folder on the VM. SSH keys in ~/.ssh/authorized_keys are used to challenge the client to match the corresponding private key on an SSH connection. In an Azure Linux VM that uses SSH keys for authentication, Azure configures the SSHD server to not allow password sign-in, only SSH keys. By creating an Azure Linux VM with SSH keys, you can help secure the VM deployment and save yourself the typical post-deployment configuration step of disabling passwords in the sshd_config file.
If you do not wish to use SSH keys, you can set up your Linux VM to use password authentication. If your VM is not exposed to the Internet, using passwords may be sufficient. However, you still need to manage your passwords for each Linux VM and maintain healthy password policies and practices, such as minimum password length and regular updates.
Generate keys with ssh-keygen
To create the keys, a preferred command is ssh-keygen, which is available with OpenSSH utilities in the Azure Cloud Shell, a macOS or Linux host, and Windows 10. ssh-keygen asks a series of questions and then writes a private key and a matching public key.
SSH keys are by default kept in the ~/.ssh directory. If you do not have a ~/.ssh directory, the ssh-keygen command creates it for you with the correct permissions.
Basic example
The following ssh-keygen command generates 4096-bit SSH RSA public and private key files by default in the ~/.ssh directory. If an SSH key pair exists in the current location, those files are overwritten.
Detailed example
The following example shows additional command options to create an SSH RSA key pair. If an SSH key pair exists in the current location, those files are overwritten.
Command explained
ssh-keygen = the program used to create the keys
-m PEM = format the key as PEM
-t rsa = type of key to create, in this case in the RSA format
-b 4096 = the number of bits in the key, in this case 4096
-C 'azureuser@myserver' = a comment appended to the end of the public key file to easily identify it. Normally an email address is used as the comment, but use whatever works best for your infrastructure.
-f ~/.ssh/mykeys/myprivatekey = the filename of the private key file, if you choose not to use the default name. A corresponding public key file appended with .pub is generated in the same directory. The directory must exist.
-N mypassphrase = an additional passphrase used to access the private key file.
Example of ssh-keygen
Saved key files
Enter file in which to save the key (/home/azureuser/.ssh/id_rsa): ~/.ssh/id_rsa
The key pair name for this article. Having a key pair named id_rsa is the default; some tools might expect the id_rsa private key file name, so having one is a good idea. The directory ~/.ssh/ is the default location for SSH key pairs and the SSH config file. If not specified with a full path, ssh-keygen creates the keys in the current working directory, not the default ~/.ssh.
List of the ~/.ssh directory
Key passphrase
Enter passphrase (empty for no passphrase):
It is strongly recommended to add a passphrase to your private key. Without a passphrase to protect the key file, anyone with the file can use it to sign in to any server that has the corresponding public key. Adding a passphrase offers more protection in case someone is able to gain access to your private key file, giving you time to change the keys.
Generate keys automatically during deployment
If you use the Azure CLI to create your VM, you can optionally generate SSH public and private key files by running the az vm create command with the --generate-ssh-keys option. The keys are stored in the ~/.ssh directory. Note that this command option does not overwrite keys if they already exist in that location.
Provide SSH public key when deploying a VM
To create a Linux VM that uses SSH keys for authentication, provide your SSH public key when creating the VM using the Azure portal, CLI, Resource Manager templates, or other methods. When using the portal, you enter the public key itself. If you use the Azure CLI to create your VM with an existing public key, specify the value or location of this public key by running the az vm create command with the --ssh-key-value option.
If you're not familiar with the format of an SSH public key, you can see your public key by running cat as follows, replacing ~/.ssh/id_rsa.pub with your own public key file location:
Output is similar to the following (here redacted):
If you copy and paste the contents of the public key file into the Azure portal or a Resource Manager template, make sure you don't copy any additional whitespace or introduce additional line breaks. For example, if you use macOS, you can pipe the public key file (by default, ~/.ssh/id_rsa.pub) to pbcopy to copy the contents (there are other Linux programs that do the same thing, such as xclip).
If you prefer to use a public key that is in a multiline format, you can generate an RFC4716 formatted key in a pem container from the public key you previously created.
To create a RFC4716 formatted key from an existing SSH public key:
SSH to your VM with an SSH client
With the public key deployed on your Azure VM, and the private key on your local system, SSH to your VM using the IP address or DNS name of your VM. Replace azureuser and myvm.westus.cloudapp.azure.com in the following command with the administrator user name and the fully qualified domain name (or IP address):
If you provided a passphrase when you created your key pair, enter the passphrase when prompted during the sign-in process. (The server is added to your ~/.ssh/known_hosts folder, and you won't be asked to connect again until the public key on your Azure VM changes or the server name is removed from ~/.ssh/known_hosts.)
If the VM is using the just-in-time access policy, you need to request access before you can connect to the VM. For more information about the just-in-time policy, see Manage virtual machine access using the just in time policy.
Use ssh-agent to store your private key passphrase
To avoid typing your private key file passphrase with every SSH sign-in, you can use ssh-agent to cache your private key file passphrase. If you are using a Mac, the macOS Keychain securely stores the private key passphrase when you invoke ssh-agent.
Verify and use ssh-agent and ssh-add to inform the SSH system about the key files so that you do not need to use the passphrase interactively.
Now add the private key to ssh-agent using the command ssh-add.
The private key passphrase is now stored in ssh-agent.
Use ssh-copy-id to copy the key to an existing VM
If you have already created a VM, you can add a new SSH public key to your Linux VM using ssh-copy-id.
Create and configure an SSH config file
You can create and configure an SSH config file (~/.ssh/config) to speed up log-ins and to optimize your SSH client behavior.
The following example shows a simple configuration that you can use to quickly sign in as a user to a specific VM using the default SSH private key.
Create the file.
Edit the file to add the new SSH configuration
Add configuration settings appropriate for your host VM. In this example, the VM name is myvm and the account name is azureuser.
You can add configurations for additional hosts to enable each to use its own dedicated key pair. See SSH config file for more advanced configuration options.
Now that you have an SSH key pair and a configured SSH config file, you are able to sign in to your Linux VM quickly and securely. When you run the following command, SSH locates and loads any settings from the Host myvm block in the SSH config file.
The first time you sign in to a server using an SSH key, the command prompts you for the passphrase for that key file.
Next steps
Next up is to create Azure Linux VMs using the new SSH public key. Azure VMs that are created with an SSH public key as the sign-in are better secured than VMs created with the default sign-in method, passwords.
If you interact regularly with SSH commands and remote hosts, you may find that using a key pair instead of passwords can be convenient. Instead of the remote system prompting for a password with each connection, authentication can be automatically negotiated using a public and private key pair.
The private key remains secure on your own workstation, and the public key gets placed in a specific location on each remote system that you access. Your private key may be secured locally with a passphrase. A local caching program such as ssh-agent or gnome-keyring allows you to enter that passphrase periodically, instead of each time you use the key to access a remote system.
[ Free download: Advanced Linux commands cheat sheet. ]
Generating a key pair and propagating the public key
Generating your key pair and propagating your public key is simpler than it sounds. Let’s walk through it.
Generating the key
The minimum effort to generate a key pair involves running the ssh-keygen command, and choosing the defaults at all the prompts:
The default location to store the keys is in the ~/.ssh directory, which will be created if it does not exist:
Allowing this command to create the directory also ensures that the owner and permissions are set correctly. Some applications will not use keys if the permissions to the private key are too open.
The file ending in .pub is the public key that needs to be transferred to the remote systems. It is a file containing a single line: The protocol, the key, and an email used as an identifier. Options for the ssh-keygen command allow you to specify a different identifier:
After generating the key pair, the ssh-keygen command also displays the fingerprint and randomart image that are unique to this key. This information can be shared with other people who may need to verify your public key.
Later you can view these with:
The -l option lists the fingerprint, and the -v option adds the ASCII art.
Propagating the public key to a remote system
If password authentication is currently enabled, then the easiest way to transfer the public key to the remote host is with the ssh-copy-id command. If you used the default name for the key all you need to specify is the remote user and host:
Following the instructions from the output, verify that you can connect using the key pair. If you implemented a passphrase, you will be prompted for the passphrase to use the private key:
Examine the resulting authorized key file. This is where the public key was appended. If the directory or file did not exist, then it was (or they were) created with the correct ownership and permissions. Each line is a single authorized public key:
To revoke access for this key pair, remove the line for the public key.
There are many other options that can be added to this line in the authorized key file to control access. These options are usually used by administrators placing the public keys on a system with restrictions. These restrictions may include where the connection may originate, what command(s) may be run, and even a date indicating when to stop accepting this key. These and more options are listed in the sshd man page.
Changing the passphrase
If you need to change a passphrase on your private key or if you initially set an empty passphrase and want that protection at a later time, use the ssh-keygen command with the -p option:
You can add additional options to specify the key (-f), and the old (-P) or new (-N) passphrases on the command line. Remember that any passwords specified on the command line will be saved in your shell history.
See the ssh-keygen man page for additional options.
Rotating keys
While the public key by itself is meant to be shared, keep in mind that if someone obtains your private key, they can then use that to access all systems that have the public key. These key pairs also do not have a period of validity like GNU Privacy Guard (GPG) keys or public key infrastructure (PKI) certificates.
If you have any reason to suspect that a private key has been stolen or otherwise compromised, you should replace that key pair. The old public key has to be removed from all systems, a new key has to be generated with ssh-keygen, and the new public key has to be transferred to the desired remote systems.
If you are rotating keys as a precaution and without any concern of compromise, you can use the old key pair to authenticate the transfer of the new public key before removing the old key.
Is using empty passphrases ever a good idea?
There are several things to think about when considering an empty passphrase for your SSH private key.
How secure is the private key file?
If you tend to work from multiple client systems and want to either have multiple copies of your key or keep a copy on removable media, then it really is a good idea to have a passphrase on the private key. This practice is in addition to protecting access to the key file with encrypted media.
However, if you have only one copy of the private key and it is kept on a system that is well secured and not shared, then having a passphrase is simply one more level of protection just in case.
Generate Ssh2 Key Linux
Remember that changing the passphrase on one copy does not change the passphrase on other copies. The passphrase is simply locking access to a specific key file.
Why do think you need an empty passphrase?
There are cases for keys with empty passphrases. Some utilities that need to automatically transfer files between systems need a passwordless method to authenticate. The kdump utility, when configured to dump the kernel to a remote system using SSH, is one example.
Another common use is to generate a key pair for a script that is designed to run unattended, such as from a cron job.
Generate Ssh2 Key Pair Linux
How about a middle ground alternative?
By itself, a passphrase-protected private key requires the passphrase to be entered each time the key is used. This setup does not feel like passwordless SSH. However, there are caching mechanisms that allow you to enter the key passphrase once and then use the key over and over without reentering that passphrase.
More Linux resources
OpenSSH comes with an ssh-agent daemon and an ssh-add utility to cache the unlocked private key. The GNOME desktop also has a keyring daemon that stores passwords and secrets but also implements an SSH agent.
The lifetime of the cached key can be configured with each of the agents or when the key is added. In many cases, it defaults to an unlimited lifetime, but the cache is cleared when the user logs out of the system. You will be prompted for the passphrase only once per login session.
If there is a scheduled application that needs to run outside of a user login session, it may be possible to use a secret or other password manager to automate the unlocking of the key. For example, Ansible Tower stores credentials in a secure database. This database includes an SSH private key used to connect to the remote systems (managed nodes), and any passphrases necessary for those private keys. Once those credentials are stored, a job can be scheduled to run a playbook on a regular schedule.
Generate Ssh2 Key
Automating propagation
A centralized identity manager such as FreeIPA can assist with key propagation. Upload the public key to the server as an attribute of a user account, and then propagate it to the hosts in the domain as needed. FreeIPA can also provide additional host-based access control for where a key may be used.
Keys can also be distributed using Ansible modules. The openssh_keypair module uses ssh-keygen to generate keys and the authorized_key module adds and removes SSH authorized keys for particular user accounts.
Wrapping up
SSH key pairs are only one way to automate authentication without passwords. Using the Generic Security Services Application Program Interface (GSSAPI) authentication is also common when trying to reduce the use of passwords on a network with centralized user management. SSH key pairs are the easier option to implement when single sign-on (SSO) is not already available.
Many source code repositories grant access using SSH keys. You can upload a public key to an account in the hosting organization such as the Fedora Account System, GitLab, or GitHub sites and use that key pair to authenticate when pulling and pushing content to repositories.
Related Content