Complete guide for Generating, Activating, and Using SSH Keys for SSH Access to Ubuntu Server

The default method of logging into an Ubuntu server via SSH is using a username and password. The disadvantage is that your password is usually somewhat "simple" in terms of length and thus vulnerable to brute-force attacks. Moreover, since it is entered via a keyboard, you are not immune to keylogger software. In contrast, an SSH key is exponentially harder to break, and thus, when used correctly, significantly enhances the security of the login process.

  1. Generating ed25519 SSH Keys

    On a computer (Windows / Mac / Linux) that is not connected to the server via SSH (if it is, log out), in the command line or terminal, enter the command:

    ssh-keygen -t ed25519 -C ", PC name"
    • the -t parameter defines the key type ed25519
    • the optional -C parameter adds a comment linking the key to a specific user and computer.

    Confirm/determine the new path and file name (so you can easily recognize them) where the keys will be stored and in the next step create, enter, and confirm by re-entering a security phrase, which will act as the actual password for the private SSH key. Be aware that if you forget the security phrase, it cannot be recovered.

    Two SSH keys are generated in the folder specified in the previous step.

  2. Finding the Public Key

    The public SSH key is a file with the ".pub" extension. Its contents can be accessed by opening it via the Command Line / Terminal.

    type %USERPROFILE%\.ssh\
    cat ~/.ssh/

    The public key starts with the type "ssh-ed25519 AAAAC..."

  3. Remotely Log into the Server Using Username and Password

    1. Connect the computer (from which we are remotely connecting) and the server (to which we are connecting) to the same local network (same router).
    2. Remotely connect to the server
      • Start the Putty client installed on the computer, go to the "Sessions" tab.
      • Enter the "Host" field indicating the server's IP address (found in the router) and the port through which we connect to the server (default is 22 - we will disable it in later steps, but use it now).
      • In the opened command line window, enter the username and password for connecting to the server (defined during server installation).
      • Start the terminal.
      • In the terminal, enter the ssh command linking to the specific user, server IP, and port:
        ssh username@server_ip -p 22

        Note: The ssh command works with default key-based authentication. If it is not specified in the ssh command, the computer tries all known hosts. If there are many known hosts servers on the computer from which we are logging in, we might exceed the maximum number of attempts and get a denial from the server with the notification "Too many authentication failures" because none of the used keys was valid for our server. The fix is simple, clearly specify the authentication method, in this case, a password.

        ssh -o IdentitiesOnly=yes -o PreferredAuthentications=password username@server_ip -p 22
      • Enter the password to connect to the server (defined during server installation).
  4. Uploading the Public Key to the Server

    1. On the server, create a folder for storing public SSH keys with the command mkdir -p ~/.ssh.
    2. Open the authorized_keys file with the command nano ~/.ssh/authorized_keys and insert the public key found in step 1. (insert the entire line starting with ssh-ed25519 ...)
    3. Save and close the "authorized_keys" file by pressing ctrl+x.
    4. End the connection to the server with the command exit.
  5. Remote Login to the Server Using a Private SSH Key

    If using Windows OS and the Putty client, the format of the private key generated in step 1 (file without extension) is not supported by the Putty client. It is therefore necessary to convert it, as follows:

    1. Display the private key with the command type %USERPROFILE%\.ssh\file_name and copy it exactly as it is, including "-----BEGIN OPENSSH PRIVATE KEY-----" and "-----END OPENSSH PRIVATE KEY-----" into a .txt file, which we save.
    2. Download the program "puttygen.exe (a RSA and DSA key generation utility)" from the official Putty website.
    3. Open the downloaded "PuTTY Key Generator", at the bottom select the type "EdDSA" → (Ed25519). At the top bar, choose "File → Load private key". Switch to displaying "All Files (*.*)" and select the .txt file in which we saved the private key. Enter the passphrase, which was defined during the key creation. If everything goes through, we receive the notification "Successfully imported foreign key...".
    4. Press the "Save private key" button and save the private SSH key in a Putty-supported .ppk format again into the .ssh folder. If anything is unclear, the procedure with screenshots can be found here.
    5. Open Putty client, go to "Connections → SSH → Auth → Credentials" and in the "Private key file for authentization" field select "Browse" and choose the .ppk file saved in the previous step.
    6. Go to the "Session" section, fill in the "Host" and "Port" fields, and after pressing the "Open" button, in the newly opened command window, enter the username (login as:), at which point instead of a password request, we should see the identification of the public key, within which we are connecting with a request to insert the passphrase.
    7. Enter the passphrase and log in.
    ssh username@server_ip -p 22 -i ~/.ssh/private_key
  6. Disabling Remote Login Using Username and Password

    Disabling password login is performed by modifying the configuration file. The change itself does not lead to an automatic logout, however, for security reasons, it is advisable to be connected to the server in 2 instances (2 windows), so that in case of a test logout in one and the inability to log in again, you still have the possibility to revert the changes from the second window.

    1. Open the SSH server configuration with the command sudo nano /etc/ssh/sshd_config. Since we use "sudo" at the beginning of the command, we open the file with change rights, and thus a new session after us will require a user password (the password with which we previously logged in).
    2. Find the record #AuthorizedKeysFile and uncomment it by removing the # from its beginning
    3. Find the record KbdInteractiveAuthentication and set it to the value no. Also, make sure it is not commented out (does not start with #)
    4. Find the record PasswordAuthentication yes and change it to no. Make sure it is not commented out (does not start with #)
    5. Ensure that the PermitRootLogin record has the value prohibit-password (PermitRootLogin prohibit-password)
    6. Close the file with the command ctrl+x and save when exiting.
    7. Enter the command sudo sshd -T | grep -i passwordauthentication and verify that its output is "passwordauthentication no".

      In this setting, it is possible to access the server using both the combination of username + private key and traditionally username + password. If we want the option to use only the privatekey, at the end of the /etc/ssh/sshd_config file, it is necessary to define AuthenticationMethods publickey.

    8. Restart the SSH server
      sudo systemctl restart ssh
      sudo systemctl restart sshd
      sudo systemctl restart ssh
    9. Log out with the command logout.
    10. Upon re-login without a public key, after entering the username, you should receive the error message "No supported authentication methods available (server sent: publickey)". When using a privatekey, the login should be successful.
    11. Note: Login using a username and password is still possible locally - via a keyboard connected to the server