Setting Up Secure SSH Key-Based Authentication

SSH keys are a securer and more convenient alternative to passwords when connecting to remote servers, e.g. your GitHub repositories or web host. In this post you’re going to learn how to generate SSH key-pairs and use them to authenticate with your remote server.

What’s Wrong With Passwords?

Most people use weak passwords, because they’re easy to remember. But weak passwords may be cracked by brute-force attacks. In case your password consists of your dog’s or girlfriend’s name plus the year you were born, it doesn’t even need a tech-savvy person to take over your accounts. All it takes is a few educated guesses. And what if you break up with your girlfriend? Have fun changing your passwords then.

The typical password isn’t safe. Passwords may be compromised. Be it through hacking, cracking, keylogging, social engineering or literally just standing behind you, watching over your shoulder while you’re unsuspectingly typing it.

Also, entering passwords is annoying. Especially if you’re using a safe and therefore long password. But with techniques like rainbow tables, even the most complicated passwords as long as 16 characters aren’t safe anymore. Disregarding the fact that nobody can remember such passwords. Especially not multiple of them. So if you’re like most users, you’re using the same single password for each and every site. This makes it incredibly easy for criminals to steal your identity. With the recent hacks of companies like Yahoo, LinkedIn, eBay or Dropbox, there’s a very good chance that somebody already has your email/password combination. And if you’re using the same password on every website, this somebody can effortlessly get into your Gmail or any other email account. And when he’s in your email account, he can reset every password for every site you use, simply by pressing the “I forgot my password” button on any page and waiting for the email containing the link to change it. Furthermore, imagine the government mistakes you for a terrorist or finds any other reason to become interested in your online activity. US companies are forced by law to comply with the government and to hand out your password or provide access in any other form, if possible.

So what do you do? Easy to remember passwords are weak. Complex passwords are hard to remember (and not necessarily safer). Long passwords like correct horse battery staple are safe and easy to remember, but still annoying to type every time you want to connect to your server. And even the longest and safest password can’t protect you anymore once your credentials are in the hands of the government/criminals after the next big company got hacked.

Introducing Key-Based Authentication

A key-pair consists of two parts—a public part and a private part. Think of them as a door lock and the literal key for your front door. You can’t open a locked door if you don’t have the suitable key. Because your private key never ever leaves your computer not to mention enters the internet, no company will ever know your private key and thus will not be able to reproduce it. So it absolutely doesn’t matter if they give away your public key or hand it to the government. That’s why it’s called public. Anyone can have access to it, as long as he doesn’t obtain your private key he cannot make use of it. You and you alone should have access to your private key.

To check if you’ve already created SSH keys, open your Terminal and type:

ls -al ~/.ssh

If you receive an error that the directory ~/.ssh doesn’t exist, don’t worry! This simply means that you don’t have SSH keys yet.1

In case you already have SSH keys, you can check how secure they are and whether you should create new ones, using this command:

ssh-keygen -l -f ~/.ssh/

If you’re seeing something about RSA and a value either 2048 or 4096 Bit, you’re good. But you probably wouldn’t need this guide if this was the case. So presumably you’re seeing something about DSA/DSS or a value less than 2048 (e.g. 1024). If so, you should create a new key-pair as follows:

ssh-keygen -t rsa -b 4096 -C "here you may enter any comment you like"

As comment you can enter anything you want, e.g. your name, your email address, which machine you used to create the key-pair (MacBook Pro, iMac etc.) or just random nonsense. If you omit the comment parameter, it will set the comment to [email protected] by default, using the information of your current machine. Maybe you don’t want to provide this information because of privacy concerns, so it’s reasonable to set an own comment instead which doesn’t give away much information about you.

When you’re asked for a location to store your key-pair, just press the Enter button. Your public key will then be stored in the default location at ~/.ssh/ and your private key at ~/.ssh/id_rsa. When asked for a passphrase you can either provide one or again press Enter and leave the field empty. I recommend setting one though. Although the passphrase is not necessarily needed, it is another security factor for the unlikely case your private key somehow gets into the hands of someone else, despite all the effort to keep it secret. Because you didn’t make the switch to key-based authentication just to trade your password for a passphrase, there’s a useful program on your computer called ssh-agent. It will securely save your passphrase (e.g. in macOS’s Keychain Access) once you’ve entered it the first time and from then on you’ll never be asked for it again.

As of macOS Sierra, ssh-agent does not save your passphrase anymore due to changes introduced with macOS 10.12.2 in order to align with a change in OpenSSH (more info). To keep the old behavior, you need to perform these commands:

touch ~/.ssh/config
echo "Host *" >> ~/.ssh/config
echo "    UseKeychain yes" >> ~/.ssh/config

Next you’ll have to get your public key to your server. This is very easy with a tool called ssh-copy-id. If you have Homebrew installed, you can get ssh-copy-id like so:

brew install ssh-copy-id

Then copy your public RSA key to your server (replace the placeholders with your own username and hostname/IP address, omitting the braces):

ssh-copy-id [email protected]

In case you placed your key pair somewhere else than default location or gave it a different name, you have to specify the location of you public key using the -i flag:

ssh-copy-id -i location/of/your/key <username>@<host>

In order to use GitHub with SSH instead of HTTPS, the procedure is a little bit different. First copy your public key:

pbcopy < ~/.ssh/

Then go to SSH and GPG keys under GitHub’s Settings page, click on New SSH key and enter the copied public key. Give it a telling name, e.g. “Personal MacBook Pro” or “MacBook Work” and you’re done.

To test your SSH configuration perform this last command:

It should tell you You've successfully authenticated, but GitHub does not provide shell access.. There you have it :relaxed: Now you can connect to your remote servers and GitHub repositories in a new and more secure way. If you’re having trouble setting up your key-pairs or want to know more about this topic, please leave a comment down below!

  1. ~/.ssh is a hidden folder in your home directory where your SSH keys are stored. This folder will be automatically created when we generate a new key-pair.