Discover how SSH keys work and why they're essential for secure server connections.
SSH stands for Secure Shell. It's a way to connect to another computer over the internet. It lets you do things like run commands on the remote computer, transfer files, and even forward your web browser through the secure connection. SSH is commonly used by system administrators and developers to manage servers and access remote machines securely.
When you want to connect to a server using SSH, you use a pair of keys: a private key (like a secret password) and a public key (like a lock). You keep the private key safe and secure on your computer, because the private key is used to decrypt messages encrypted with the public key. Also, the public key is placed on the server you want to connect to.
The public key is used by the server to verify your identity (authentication). When you attempt to connect to the server, your computer sends the public key to the server. The server then checks if the public key matches the one it has stored. If the public key matches, the server knows that you have the corresponding private key and allows you to connect.
Then, the server asks you to prove you have the private key. You do this by encrypting a message with your private key and sending it back to the server. The server decrypts the message using your public key. If it decrypts correctly, the server lets you in. The private key is never sent over the network during the SSH connection process.
If the server can verify your identity using your private key, authentication is successful, and you are allowed access.
I like using the Ed25519 algorithm to make keys for safe talking. It's named after the curve used in the algorithm. Ed25519 is considered very secure and efficient, making it a popular choice for generating keys. It's not the very latest, but it's still very modern and widely recommended by security experts. Some less secure cryptographic algorithms include DES, RC4, MD5, SHA-1, and RSA with shorter key lengths.
Generating keys on Ubuntu is a way to create special codes that computers use to talk securely. You can do this by using a command like ssh-keygen in the terminal.
1. Create .ssh directory on the remote server, if doesn't exist (user gitdeploy):
sudo -u userdeploy mkdir -p /home/userdeploy/.ssh
2. Create private and public keys in the ~/.ssh/ directory for the specific user (no passphrase):
cd ~/.ssh/
ssh-keygen -t ed25519 -f ~/.ssh/ed25519_userdeploy -C "userdeploy"
After running the ssh-keygen command, you'll get two keys in your user's home ~/.ssh/ directory: one is a private key (like a secret password) named ed25519_userdeploy, and the other is a public key (like a lock) named ed25519_userdeploy.pub, or whatever name you chose during the execution of ssh-keygen command.
3. Open .pub key (starts with ssh-ed25519) and add to the ~/.ssh/authorized_keys file:
cat ~/.ssh/ed25519_userdeploy.pub
nano ~/.ssh/authorized_keys
There's no need to add the public key to the root user's authorized_keys file unless you specifically want to allow the root user to authenticate using the same key. For security reasons, it's generally recommended to limit the use of SSH keys to specific users whenever possible.
4. Set appropriate permissions:
chmod 600 ~/.ssh/authorized_keys
chmod 700 ~/.ssh/
After this, you can copy the private key to your local computer (you user's home ~/.ssh/ folder). This makes it easier to connect to the server securely without having to enter your password each time.
Dont' forget to add the private key and your_remote_server_ip to your known_hosts file:
ssh-keyscan SSH_HOST >> ~/.ssh/known_hosts
Try connecting to the remote server:
ssh -i ~/.ssh/ed25519_userdeploy userdeploy@SSH_HOST
If a matching public key is found, the server will allow you to authenticate without requiring a password.
There's a big chance that if you just copy your private key to Notepad and start over, it won't work. Instead, try generating a new key using ssh-keygen on your computer, then replace the contents of the private key file. This way, it will have the right format and should work.
If you plan to use a GitHub repository and set up a continuous integration and continuous deployment (CI/CD) pipeline using GitHub workflows, you'll need to add your SSH keys to the repository.
GitHub Actions run in a virtual environment based on the latest version of Ubuntu Linux, and everything is similar to what we discussed earlier.
To add your public key, go to your GitHub project's settings and then to "Deploy keys". Click on "Add new" and paste the contents of your public key file into the textarea. The public key should start with ssh-ed25519.
For your private key, along with your deploy user and your VPS host/IP, you can store them securely in repository secrets. Again, go to your GitHub project's settings, then to "Secrets and variables" and "Actions," and click on "New secret." Add SSH_HOST, SSH_USER, and SSH_PRIVATE_KEY. This way, your private key remains safe and only accessible to your workflows.
Now that you've set up your SSH keys, you can start working with your continuous integration and continuous deployment (CI/CD) pipeline. This means you can automate the process of testing and deploying your code, making it faster and more efficient. With your SSH keys in place, your CI/CD pipeline can securely access your repositories and servers to perform these tasks.
Good luck!
May all your endeavors be successful, and may your code always run smoothly.
Best Regards,
Artem