Skip to content

Click on each book below to review & buy on Amazon.

As an Amazon Associate, I earn from qualifying purchases.

RHCSA - Manage Security: Configure Key-Based Authentication for SSH

Secure Shell (SSH) is a widely used cryptographic network protocol for secure remote login, secure file transfer, and secure command execution over an insecure network.

ssh-keygen Command

The ssh-keygen command is a key utility in SSH that allows users to generate and manage SSH key pairs used for authentication purposes, such as:

  • Key Generation: The command is used to generate new SSH key pairs, which consist of a public key and a corresponding private key. These key pairs are essential for establishing secure connections and authenticating users when connecting to remote systems.
  • Key Conversion: ssh-keygen can convert SSH key formats between different types, such as converting between OpenSSH and SSH-2 formats. This allows users to use their keys across different SSH implementations.
  • Key Management: The command provides various options to manage SSH keys. Users can change the passphrase for a private key, list the fingerprints of keys, regenerate the server host key, revoke trusted keys, and more.
  • Key Authentication: SSH key pairs generated by ssh-keygen are used for authentication purposes. The public key is placed on the remote server, while the corresponding private key is kept securely on the user's local machine. When attempting to connect to the server, the client uses its private key to prove its identity and establish a secure connection.

The ssh-keygen command supports several options to customize key generation and management:

Option Description
-t Specifies the type of key to generate, such as RSA, DSA, or ECDSA.
-b Sets the number of bits in the key. Higher bit lengths offer stronger security.
-C Adds a comment to the key, typically used to provide additional information about the key's purpose or owner.
-f Specifies the filename for the generated key files, allowing users to provide a custom name or location.
-N Sets a new passphrase for the private key, providing an extra layer of security.
-p Changes the passphrase of an existing private key.
-y Outputs the public key portion of a specified private key file.

By default, generated keys will be saved in the ~/.ssh directory unless otherwise specified.

ssh-copy-id Command

The main purpose of the ssh-copy-id command is to securely install a user's public key on a remote server. By doing so, it allows the user to authenticate with the server using their private key instead of entering a password. This improves security and eliminates the need to manually copy the public key file and modify remote server configurations.

The ssh-copy-id command supports several options to customize key copying behavior:

Option Description
-i Specifies the path to the identity (private key) file to be copied. By default, ssh-copy-id looks for keys in the ~/.ssh directory.
-p Specifies the remote SSH server port if it is not the default port 22.
-f Forces the operation, overwriting any existing authorized keys on the remote server.

Key Generation & Copy Exercise

In the following exercise you will create an SSH key pair, copy the keys to a remote system to be able to test login over SSH.

Generate an SSH key pair of type RSA with a key bit size of 4096:

Run the following command to start the key generation:

ssh-keygen -t rsa -b 4096

Press Enter for each prompt which will leave the key to be created in the default location without a passphrase:

Enter file in which to save the key (/home/dtvlinux/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:

Copy SSH key to remote system:

If you was following along with the course you will have a server called server2 which is where you can copy the SSH public key to. However if you do not have a second server you can copy the key to localhost which is the same process.

Replace <user> with your remote user and with your servers IP:

ssh-copy-id <user>@<server2 IP>

You will be prompted for the remote users password and if the copy was successful your screen will look similar to:

/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
user1@'s password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh ''"
and check to make sure that only the key(s) you wanted were added.

As the output suggests, you can now try login onto the server:

ssh <server2 IP>

You will now be logged onto the remote server.

To exit from an SSH session, run:


Support DTV Linux

Click on each book below to review & buy on Amazon. As an Amazon Associate, I earn from qualifying purchases.

NordVPN ®: Elevate your online privacy and security. Grab our Special Offer to safeguard your data on public Wi-Fi and secure your devices. I may earn a commission on purchases made through this link.