Programster's Blog

Tutorials focusing on Linux, programming, and open-source

Ubuntu - Sharing SSH Keys

SSH

Related Posts

Steps

Sharing your default public key (`~/.ssh/id_rsa.pub) with a remote server is as easy as:

ssh-copy-id user@hostname.domain.com

This defaults to adding your $HOME/.ssh/id_rsa.pub public key file. However, it will also add all of your keys within your SSH agent, which may not be what you want. You can check your SSH agent by running ssh-add -l. If you wish to add a specific key, it is best to specify it with the -i parameter as shown in the examples below.

If you want to use a specific key, then use the following

ssh-copy-id -i /path/to/public/key.pub user@hostname.domain.com

If you want to use a specific key and a specific port then use the following

ssh-copy-id \
  -p $PORT \
  -i /path/to/public/key.pub \
  user@hostname.domain.com

If you don't already have an identity, an error will pop up and you will need to run the following before retrying.

ssh-keygen

This grants yourself non-password access to the remote machine, not the other way around!

Always use a passphrase on your keys to prevent them being useful to malicious users who compromise your servers. Tools like ansible will realize if a key requires a passphrase to use and will automatically prompt you.

Manual Method

Sometimes you need to do things manually, such as when you can only use a key to log into the server and need to add another key. In such situations, just copy the public key (which should look something like below)

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCpPhKCzJUS6RGRza+FudimGKR2RILtShMyN1Gsd0V7r3H1vJ2WwwgMGjUQmow6IyFEFH+1TlbCGDTGxRA82G5+vW3NCbbtkTXyEJsVQ7/QkLqnQL4++BRLhJ5UAzKv84Ohw45VeJPVtW/gAqvB7r4+vcRNPrW3dRW8TVgF9fAi5RdacDXBBGFkSE1IA5mAMqDmiXryn4SlqFqeS4n/jsEFsCmOPo1S67xqp/QsVYyZHjS9jFwxxLuSj/7VT0QuQcU1Q7QWifGM4Rdj8jIboxEoM59Ws9GpeJK94UUX+L8vg8QUp+wiEdQnrzyaTVbu0NtPUdsmynNcM06XWM74E2bT stuart@stu-home-office

... and append it into the $HOME/.ssh/authorized_keys of the user that you want to use the key to login as.

This is a single line that will look like an entire paragraph with the wrapping. The bit at the end such as stuart@stu-home-office is just an identifier that you can change to be something more memorable. E.g. to let you know what other servers/users are granted access to the server so that you can remove them at a later date and not accidentally remove the wrong key.

Create Folder / File If Doesn't Exist

It is not uncommon for the folder/file to not exist yet, especially if you just added a fresh user to the system. You can create them with the following commands:

mkdir $HOME/.ssh || true \
  && chmod 700 $HOME/.ssh \
  && touch $HOME/.ssh/authorized_keys \
  && chmod 700 $HOME/.ssh/authorized_keys

The permissions are very important, and if you don't set them up correctly, you wont be able to SSH into the server, and wonder why it's not working, as you won't get any helpful error message.

Manual Removal

Removing an SSH key from being able to access the server is as easy as removing the appropriate line from the .ssh/authorized_keys file (or commenting it out with a #), and then restarting the ssh service with:

sudo service sshd restart

I did this recently and thought I was still able to access the server using the old key. It turned out that gnome-keyring was just automatically using the new key. You may wish to remove gnome-keyring to save confusion by running sudo apt remove gnome-keyring.

References

Last updated: 27th March 2024
First published: 16th August 2018

This blog is created by Stuart Page

I'm a freelance web developer and technology consultant based in Surrey, UK, with over 10 years experience in web development, DevOps, Linux Administration, and IT solutions.

Need support with your infrastructure or web services?

Get in touch