Redirecting you to
Contact Us
Blog Post Sep 24, 2020

SSH Keys Explained: Generation, Authentication, Key Pair Info & More

SSH keys not only improve security but also enable the automation of connected processes, single sign-on (SSO), and identity and access management at scale that today’s businesses require.

What is an SSH key?

An SSH key is a secure access credential used in the Secure Shell (SSH) protocol. SSH keys pairs use public key infrastructure (PKI) technology, the gold standard for digital identity authentication and encryption, to provide a secure and scalable method of authentication.

As the SSH protocol is widely used for communication in cloud services, network environments, file transfer tools, configuration management tools, and other computer-dependent services, most organizations use this type of key-based authentication to verify identities and protect those services from unintended use or malicious attacks.

Public and private keys

An SSH key relies upon the use of two related keys, a public key and a private key, that together create a key pair that is used as the secure access credential. The private key is secret, known only to the user, and should be encrypted and stored safely. The public key can be shared freely with any SSH server to which the user wishes to connect. These keys are normally managed by an organization’s IT team, or better yet, with the help of a trusted Certificate Authority (CA) to ensure they are stored safely.

To create the digital identity, the public and private key are both generated, and the pair is associated with each other using a strong public key cryptography algorithm. The most common mathematical algorithms used for key generation are Rivest–Shamir–Adleman (RSA) and Elliptic Curve Digital Signature Algorithm (ECDSA).

These algorithms use various computation methods to generate random numeric combinations of varying length so that they cannot be exploited with a brute force attack. The key size or bit length helps determine the strength of protection. 2048-bit RSA keys or 521-bit ECDSA keys offer sufficient cryptographic strength to keep hackers from cracking the algorithm.

How does SSH key authentication work?

The SSH key pair is used to authenticate the identity of a user or process that wants to access a remote system using the SSH protocol. The public key is used by both the user and the remote server to encrypt messages. On the remote server side, it is saved in a public key file. On the user’s side, it is stored in SSH key management software or in a file on their computer. The private key remains only on the system being used to access the remote server and is used to decrypt messages.

When a user or process requests a connection to the remote server using the SSH client, a challenge-response sequence is initiated to complete authentication. The SSH server recognizes that a connection is being requested and sends an encrypted challenge request using the shared public key information. The SSH client then decrypts the challenge message and responds back to the server. The user or process must respond correctly to the challenge to be granted access. This challenge-response sequence happens automatically between the SSH client and server without any manual action by the user.

Diagram showing how SSH key authentication works

SSH public key authentication vs. passwords

At a high level, SSH keys function like passwords by controlling access. But that’s where the similarity ends. Digital identities need to be strong so that they cannot be stolen, convenient so that access is fast and never interrupted, and future-proof so that enterprises can stay ahead of possible threats.

Passwords used to offer a measure of security, but they are not as effective as they once were. That’s because bad actors have become increasingly adept at stealing passwords in transit through the internet, lifting them from repositories, and obtaining them through brute force attacks.

These security risks and issues are compounded by the human factor: that people reuse, share, and continually forget passwords. The cost to businesses is high, not only because of data loss, outages, and the compromise of information, but also because passwords take time to enter, require significant support resources, and must be frequently reset.

Using PKI's cryptographic strength and authentication methods, SSH keys are not prone to malicious attacks and valid credentials are not exposed if a system or server has been compromised. PKI cryptography is being improved continuously, future-proofing identities against new and evolving threats.

SSH key authentication is also more convenient than password authentication. The keys connect users and processes to a server by initiating authentication and granting access automatically, so users don’t have to remember or enter their password for each and every system.

How to create an SSH key and store it

Before you're able to use SSH keys, a key pair needs to be generated. This can be performed using an automated certificate management system or it can be performed manually by a system administrator.

Generating and storing keys manually can be accomplished on the most common operating systems. On Windows systems, they can be generated using the ssh-keygen command line tool or an SSH client, like PuTTy. On MacOs and Linux systems, they are generated using a terminal window.

To generate an SSH key, complete the following command line steps:

  1. Enter the key gen command $ ssh-keygen -t rsa
  2. Enter file in which to save the keys. Typically, the keys stored in the home directory or ~/.ssh/ directory (e.g. /home/foldername/.ssh/id_rsa or /c/Users/username/.ssh/id_rsa)
  3. Enter a passphrase or leave empty for no passphrase. Note: The passphrase provides an additional layer of password protection for the key pair, but the user must type in the passphrase each time the key pair is used.

Once the pair is generated, the next step is to put the public one on the remote server. A system administrator can copy the SSH public key into the remote server’s authorized_keys file using the ssh-copy-id command (e.g. $ ssh-copy-id username@IP address). Alternatively, you can paste in the keys using secure shell command (e.g. $ cat ~/.ssh/id_rsa.pub | ssh username@IP address "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >> ~/.ssh/authorized_keys").

SSH key management

Proper SSH key management is essential for organizations as these keys grant access to mission-critical business systems and data. Yet, managing them manually can be time-consuming and prone to error. It is further complicated by the fact that organizations typically have thousands, if not millions of keys stored throughout their environment. The security they provide can easily be undermined if configuration, provisioning, and termination policies are not in place and actively managed.

For example, when issued keys are no longer needed, as in the case when employees leave an organization, IT staff may forget to terminate them. Discovery of such orphaned keys is almost impossible, which creates a risk that they exist on systems that are not closely controlled. If these orphaned keys are unprotected, they can be stolen by a malicious actor, who can then use the still active credentials to access your critical business systems and data.

Dedicated SSH key management solutions using the ssh-agent helper program are available to provision, configure, and terminate keys. Using these solutions is significantly better than managing manually, but this approach requires busy IT staff to use another management tool in addition to their existing security and administrative solutions. Instead, IT teams should use a centralized certificate management solution that automatically manages all PKI-based certificates. Leveraging a singular approach to certificate management allows IT staff to complete all of their key management tasks in one dashboard.

See how Sectigo’s automated certificate lifecycle management solution can help. Learn more about automating SSH key management by listening to this episode of Sectigo’s Root Causes podcast.