-->
To create a key pair using a third-party tool. Generate a key pair with a third-party tool of your choice. Save the public key to a local file. For example, /.ssh/my-key-pair.pub (Linux) or C: keys my-key-pair.pub (Windows). The file name extension for this file is not important. Nov 10, 2011 How to Generate A Public/Private SSH Key Linux By Damien – Posted on Nov 10, 2011 Nov 18, 2011 in Linux If you are using SSH frequently to connect to a remote host, one of the way to secure the connection is to use a public/private SSH key so no password is transmitted over the network and it can prevent against brute force attack. Nov 20, 2019 Generate Public Key. This method involves generating an SSH key pair on the source machine and place it on the destination machine by login into it manually. First, login into the source machine and create an SSH key pair using the following command. email protected $ ssh-keygen. Output: Generating public/private rsa key pair.
With a secure shell (SSH) key pair, you can create virtual machines (VMs) in Azure that use SSH keys for authentication, eliminating the need for passwords to sign in. This article shows you how to quickly generate and use an SSH public-private key file pair for Linux VMs. You can complete these steps with the Azure Cloud Shell, a macOS or Linux host, the Windows Subsystem for Linux, and other tools that support OpenSSH.
Note
VMs created using SSH keys are by default configured with passwords disabled, which greatly increases the difficulty of brute-force guessing attacks.
For more background and examples, see Detailed steps to create SSH key pairs.
For additional ways to generate and use SSH keys on a Windows computer, see How to use SSH keys with Windows on Azure.
Supported SSH key formats
Azure currently supports SSH protocol 2 (SSH-2) RSA public-private key pairs with a minimum length of 2048 bits. Other key formats such as ED25519 and ECDSA are not supported.
Create an SSH key pair
Use the
ssh-keygen
command to generate SSH public and private key files. By default, these files are created in the ~/.ssh directory. You can specify a different location, and an optional password (passphrase) to access the private key file. If an SSH key pair with the same name exists in the given location, those files are overwritten.The following command creates an SSH key pair using RSA encryption and a bit length of 4096:
If you use the Azure CLI to create your VM with the az vm create command, you can optionally generate SSH public and private key files using the
--generate-ssh-keys
option. The key files are stored in the ~/.ssh directory unless specified otherwise with the --ssh-dest-key-path
option. The --generate-ssh-keys
option will not overwrite existing key files, instead returning an error. In the following command, replace VMname and RGname with your own values:Provide an SSH public key when deploying a VM
To create a Linux VM that uses SSH keys for authentication, specify your SSH public key when creating the VM using the Azure portal, Azure CLI, Azure Resource Manager templates, or other methods:
If you're not familiar with the format of an SSH public key, you can display your public key with the following
cat
command, replacing ~/.ssh/id_rsa.pub
with the path and filename of your own public key file if needed:A typical public key value looks like this example:
If you copy and paste the contents of the public key file to use in the Azure portal or a Resource Manager template, make sure you don't copy any trailing whitespace. To copy a public key in macOS, you can pipe the public key file to
pbcopy
. Similarly in Linux, you can pipe the public key file to programs such as xclip
.The public key that you place on your Linux VM in Azure is by default stored in ~/.ssh/id_rsa.pub, unless you specified a different location when you created the key pair. To use the Azure CLI 2.0 to create your VM with an existing public key, specify the value and optionally the location of this public key using the az vm create command with the
--ssh-key-values
option. In the following command, replace VMname, RGname, and keyFile with your own values:If you want to use multiple SSH keys with your VM, you can enter them in a space-separated list, like this
--ssh-key-values sshkey-desktop.pub sshkey-laptop.pub
.SSH into your VM
With the public key deployed on your Azure VM, and the private key on your local system, SSH into your VM using the IP address or DNS name of your VM. In the following command, replace azureuser and myvm.westus.cloudapp.azure.com with the administrator user name and the fully qualified domain name (or IP address):
If you specified a passphrase when you created your key pair, enter that passphrase when prompted during the login process. The VM is added to your ~/.ssh/known_hosts file, and you won't be asked to connect again until either the public key on your Azure VM changes or the server name is removed from ~/.ssh/known_hosts.
If the VM is using the just-in-time access policy, you need to request access before you can connect to the VM. For more information about the just-in-time policy, see Manage virtual machine access using the just in time policy.
Next steps
- For more information on working with SSH key pairs, see Detailed steps to create and manage SSH key pairs.
- If you have difficulties with SSH connections to Azure VMs, see Troubleshoot SSH connections to an Azure Linux VM.
Secure your systems with multiple SSH keys without losing your mind.
Some sites I interact with use SSH keys for access instead of passwords. As with passwords, I try to make a conscious decision about passphrases, and when to reuse or make new keys.
To manage these keys, I use a combination of command-line options, configuration settings, and passphrase caching agents.
Why use different key pairs?
More Linux resources
I currently have about a half dozen places where I use SSH keys on a regular basis and several other less frequently accessed locations. In particular, I use different key pairs for:
- Each of my consulting clients.
- Lab or testing environments.
- Training classrooms and similar environments that use shared keys.
- Networks I manage where the public key is loaded into an identity management system that propagates it out to the systems I access interactively.
- Each upstream community that allows SSH access, usually to gain write access for source control commits. (Again, the public key is often uploaded to a central site and propagated in an automated manner.)
Of course, I need to keep all of these keys secure. I passphrase protect all (ok, most of) the keys, and am careful about access to the private key files. In addition to the keys used from my workstation, I also have separate keys for any shared applications, plus the keys that need to be uploaded to an automation system such as Ansible Tower.
How does my system decide which key to use?
When I generate an SSH key pair, I get prompted for the name of the public key (identity) file with a default of
~/.ssh/id_rsa
. I pick a name that hopefully makes as much sense to future me as it does currently. When I use a client command such as ssh
or scp
, the utility selects a file based on command-line options, a per-host basis in the configuration file, or program defaults:The
ssh
man page not only describes the -i
option, but also has a section titled AUTHENTICATION which further explains the steps used to determine which key or other method is used.Command-line options
There are a few options I use on the command line during setup, or for verification and then later in the configuration file for future use. The
-i
option specifies the key to use and works the same with all of the SSH client utilities, including the ssh
, ssh-copy-id
, and scp
commands:This option can be given muliple times to limit which keys to try, if you know it is one of a handful of keys, but I usually only need to specify the exact key.
I also use a handful of other options specified with
-o
. These options are described in the ssh_config
man page. The IdentityFile
SSH option can be used instead of -i
. The following command has the same result as the one above:Other options I use include:
PreferredAuthentications
specifies the order of methods to try. The default generally has five to six options listed with Kerberos first, keys in the middle, and password last. If I know I need to be prompted for a password, such as when copying a new public key to a host, I use-o PreferredAuthentications=password
.PasswordAuthentication
defaults toyes
so that if other methods fail, the user will see a password prompt. I sometimes disable this setting to ensure that I am authenticating with a method other than SSH password authentication. If I see a prompt, I know it is a passphrase or Kerberos prompt. I only need to specifyPasswordAuthentication=yes
if I am trying to override a locally customized configuration file.PubkeyAuthentication
defaults toyes
so that key authentication is attempted. I may set this option to no if I know I need to be prompted for a password, such as to add or replace a key usingssh-copy-id
.IdentitiesOnly
defaults tono
, but when set toyes
, tells SSH to use only the identity specified on the command line or in the configuration file. The client will not try other identities, even if offered byssh-agent
or a PK11 provider.
Common authentication error
There is a limit on attempts before the SSH server will fail the authentication. When I try to place a key on a new system, I often get a
Received disconnect from x.x.x.x port 22:2: Too many authentication failures
error message, which means that the client attempted to authenticate with each method and each key and was ultimately disconnected from the server before getting to the final method of prompting for a password.In the
sshd_config
file, you can configure MaxAuthTries
. It defaults to six. If I have just key and password authentication methods in use, and I have more than five keys, each key is checked in turn until I'm disconnected from the server before I get a chance to enter a password. I don’t always have access to the server-side configuration. Even if I did, I would not change this setting just for the few users that have such a large collection of keys.Rhel Generate Ssh Key Pair Number
When I know I need password authentication, I make use of
PubkeyAuthentication=no
or PrefferedAuthentication=password
to make sure I get prompted for the password. If I have a particular key to use, I can specify the key and set IdentiesOnly=yes
so that only that key is tried:Configuration file Host entries
To avoid repetitive and lengthy command-line options, I maintain a local configuration file that sets the identity and other options for each destination. As a user, I configure a
~/.ssh/config
file. I start by copying the sample from the /etc/ssh
directory and then I make use of the ssh_config
man page for additional possibilities:For example, I might create a
Host
section for each destination. Each Host
entry supports multiple destinations, as well as wildcards for pattern matching. The ssh_config
man page shows many examples, but here’s a particularly useful one for Fedora users:If you have a different username on different systems, you can add the
User
option to specify which one. When I connect to one of the hosts listed above, I can just use ssh host
instead of ssh user@host
, and the correct username will be passed from the configuration file, thanks to:You can also add one or more
IdentityFile
lines for keys used at these sites:Then, add any other options for managing the connection. This includes options to enable or disable authentication methods as well as destination ports, environment settings, and proxy commands. You might ultimately end up with:
This section of your
~./ssh/config
file might end up looking something like this:A final word on lost keys and key rotation
With multiple keys, I need to determine if all keys were compromised, or if only a single key needs to be rotated. A theft of my laptop would be all keys. If I copy a single key to a new client system and forget to remove it, then I only worry about that one key. Which is exactly why I use different keys for lab testing or any situation where I may need to share a key. My client configuration files then make it easy for me to use a variety of keys on a daily basis.
Free Event: Red Hat Summit 2020 Virtual Experience
Rhel Generate Ssh Key Pair In Linux
Attend the Red Hat Summit 2020 virtual experience, April 28-29.