- SSH clients will typically use /.ssh/identity (ssh v1) or one of /.ssh/idrsa or /.ssh/iddsa (v2) as the default private key. You can change this in /.ssh/config (the IdentityFile parameter - the -i option to SSH actually overrides this. See man sshconfig for details).
- SSH config file syntax and how-tos for configuring the OpenSSH client.
- Learn how to create an openssh config file to automate server login and create shortcuts for sshd server including advanced ssh client options.
If you are even a tad bit familiar with SSH, you know that you can use it to connect to remote Linux systems.
Using SSH to connect to remote system is simple. All you need to do is to use a command like this:
This connects to the default SSH port 22. You may specify the port as well if you want.
Now this is all plain and simple if you just have one server. Even if you don’t remember the server’s IP address, you can perform a reverse search to the history using the famous terminal keyboard shortcut Ctrl+R and find the SSH command you used in the past.
But things get complicated when you have several servers to manage. I have around ten servers that I connect to from time to time. Some are production servers and some are test servers.
The directory /.ssh/ is the default location for SSH key pairs and the SSH config file. If not specified with a full path, ssh-keygen creates the keys in the current working directory, not the default /.ssh. List of the /.ssh. SSH keys are typically configured in an authorizedkeys file in.ssh subdirectory in the user's home directory. Typically a system administrator would first create a key using ssh-keygen and then install it as an authorized key on a server using the ssh-copy-id tool. See also the dedicated page on configuring authorized keys for OpenSSH.
Now keeping a track of these servers is not easy. Even if I can find the SSH commands from the history, it is difficult to guess which IP belongs to which server.
Of course, I can open my dashboards on Linode, UpCloud, DigitalOcean and Google Cloud to get the IP or keep a list on my local system.
A better and easier way is to use SSH config file.
Using SSH config file for easily connecting to remote servers
The SSH config file allows you to create different profiles for different host configurations. There is no limit to such profiles and you may add as many as possible.
So, if you connect to multiple remote systems via SSH, creating SSH profiles will be a good move to save your time.
Let me show you how to use it.
Step 1: Create the SSH config file
When you install SSH, you’ll have a ~/.ssh directory created automatically. This direct contains your public key, private key a known_hosts file. Your config is also stored here.
At least on Ubuntu, the SSH config file is not created by default. You can easily create this file using the touch command like this:
Step 2: Add an SSH profile in the config file
Now that you have the SSH config file, you can edit it using Vim or Nano. Let me show you an example of the syntax which you should follow.
Let’s say you connect to a server with IP 275.128.172.46. Your username is Alice and the server is used for hosting your website. To harden SSH security, you use port 1500 instead of the default SSH port 22.
You can add all this information in the following manner in your ~/.ssh/config file:
Just save the information in the file. No need to restart any service.
Now, instead of writing a long command like this:
You can just use this command (tab completion works as well):
When you run the above command, ssh looks for a Host named website in the ~/.ssh/config. If it finds a host with that name, it gets all the information related and used it for making an SSH connection.
You might wonder about a few things, so I’ll mention it here:
- There is no space or tab indention restriction while entering the host information. Space or tab indention are used for making the config file easily understandable.
- The Hostname can be the IP address of the server or a hostname that can be resolved on your network.
- All the parameters like hostname, user and port are optional. However, I personally advise keeping at least hostname because that’s what you need (and you forget) most of the time.
- If your SSH config file is wrongly configured, it will result in an error when you try to use it for SSH connection.
- You cannot save passwords in SSH config. I advise adding your public SSH key to the server for easy access.
Step 3: Adding multiple profiles in SSH config file
The previous step gave you an idea about how to add an SSH profile. Let’s take it to the next step by adding multiple profiles in it.
Ssh Config File Multiple Keys
Here’s what the SSH config file looks like now:
This time, I have added four different SSH profiles in it.
Did you notice the Host * entry at the end of the file? You can use this entry to for adding a parameter common to all profiles if that parameter hasn’t been mentioned for the profile explicitly.
So if I try to use the main-server SSH profile, it will automatically take root user.
ssh main-server = ssh root@275.128.172.49
Order of the SSH configuration
The ssh configuration follows the following order:
- command-line options
- user’s configuration file (~/.ssh/config)
- system-wide configuration file (/etc/ssh/ssh_config)
This means that the priority is given to the command you enter and then it looks into ~/.ssh/config and then in /etc/ssh/ssh_config.
So, if you want to override a profile, you can do that using the -o option of the ssh command.
For example, if I use this command:
It will take user bob instead of the user alice as defined in the ~/.ssh/config (in the previous step).
There’s a lot more to SSH config
To be honest, there is so much more to SSH config file that cannot be covered in a single article. You can use name/IP matching, subnets and what not.
The scope of this article was to introduce you to SSH config and help you create SSH profiles for easily connecting to various remote Linux systems.
You can always refer to the man page of ssh_config to know more about the parameters you can use while creating your SSH config file.
I hope this SSH tip was helpful to you. If you already use SSH config file and have a some nifty tip with you, do share it with the rest of us in the comment section.
Become a Member for FREE
Join the conversation.
-->With a secure shell (SSH) key pair, you can create a Linux virtual machine that uses SSH keys for authentication. This article shows you how to create and use an SSH RSA public-private key file pair for SSH client connections.
If you want quick commands, see How to create an SSH public-private key pair for Linux VMs in Azure.
To create SSH keys and use them to connect to a from a Windows computer, see How to use SSH keys with Windows on Azure. You can also use the Azure portal to create and manage SSH keys for creating VMs in the portal.
Overview of SSH and keys
SSH is an encrypted connection protocol that provides secure sign-ins over unsecured connections. SSH is the default connection protocol for Linux VMs hosted in Azure. Although SSH provides an encrypted connection, using passwords with SSH connections still leaves the VM vulnerable to brute-force attacks. We recommend connecting to a VM over SSH using a public-private key pair, also known as SSH keys.
The public key is placed on your Linux VM.
The private key remains on your local system. Protect this private key. Do not share it.
When you use an SSH client to connect to your Linux VM (which has the public key), the remote VM tests the client to make sure it has the correct private key. If the client has the private key, it's granted access to the VM.
Depending on your organization's security policies, you can reuse a single public-private key pair to access multiple Azure VMs and services. You do not need a separate pair of keys for each VM or service you wish to access.
Your public key can be shared with anyone, but only you (or your local security infrastructure) should have access to your private key.
Supported SSH key formats
Azure currently supports SSH protocol 2 (SSH-2) RSA public-private key pairs with a minimum length of 2048 bits. Other key formats such as ED25519 and ECDSA are not supported.
SSH keys use and benefits
When you create an Azure VM by specifying the public key, Azure copies the public key (in the .pub
format) to the ~/.ssh/authorized_keys
folder on the VM. SSH keys in ~/.ssh/authorized_keys
are used to challenge the client to match the corresponding private key on an SSH connection. In an Azure Linux VM that uses SSH keys for authentication, Azure configures the SSHD server to not allow password sign-in, only SSH keys. By creating an Azure Linux VM with SSH keys, you can help secure the VM deployment and save yourself the typical post-deployment configuration step of disabling passwords in the sshd_config
file.
If you do not wish to use SSH keys, you can set up your Linux VM to use password authentication. If your VM is not exposed to the Internet, using passwords may be sufficient. However, you still need to manage your passwords for each Linux VM and maintain healthy password policies and practices, such as minimum password length and regular updates.
Generate keys with ssh-keygen
To create the keys, a preferred command is ssh-keygen
, which is available with OpenSSH utilities in the Azure Cloud Shell, a macOS or Linux host, and Windows 10. ssh-keygen
asks a series of questions and then writes a private key and a matching public key.
SSH keys are by default kept in the ~/.ssh
directory. If you do not have a ~/.ssh
directory, the ssh-keygen
command creates it for you with the correct permissions.
Basic example
The following ssh-keygen
command generates 4096-bit SSH RSA public and private key files by default in the ~/.ssh
directory. If an SSH key pair exists in the current location, those files are overwritten.
Detailed example
The following example shows additional command options to create an SSH RSA key pair. If an SSH key pair exists in the current location, those files are overwritten.
Command explained
ssh-keygen
= the program used to create the keys
-m PEM
= format the key as PEM
-t rsa
= type of key to create, in this case in the RSA format
-b 4096
= the number of bits in the key, in this case 4096
-C 'azureuser@myserver'
= a comment appended to the end of the public key file to easily identify it. Normally an email address is used as the comment, but use whatever works best for your infrastructure.
-f ~/.ssh/mykeys/myprivatekey
= the filename of the private key file, if you choose not to use the default name. A corresponding public key file appended with .pub
is generated in the same directory. The directory must exist.
-N mypassphrase
= an additional passphrase used to access the private key file.
Example of ssh-keygen
Saved key files
Enter file in which to save the key (/home/azureuser/.ssh/id_rsa): ~/.ssh/id_rsa
The key pair name for this article. Having a key pair named id_rsa
is the default; some tools might expect the id_rsa
private key file name, so having one is a good idea. The directory ~/.ssh/
is the default location for SSH key pairs and the SSH config file. If not specified with a full path, ssh-keygen
creates the keys in the current working directory, not the default ~/.ssh
.
List of the ~/.ssh
directory
Key passphrase
Enter passphrase (empty for no passphrase):
It is strongly recommended to add a passphrase to your private key. Without a passphrase to protect the key file, anyone with the file can use it to sign in to any server that has the corresponding public key. Adding a passphrase offers more protection in case someone is able to gain access to your private key file, giving you time to change the keys.
Generate keys automatically during deployment
If you use the Azure CLI to create your VM, you can optionally generate SSH public and private key files by running the az vm create command with the --generate-ssh-keys
option. The keys are stored in the ~/.ssh directory. Note that this command option does not overwrite keys if they already exist in that location.
Provide SSH public key when deploying a VM
To create a Linux VM that uses SSH keys for authentication, provide your SSH public key when creating the VM using the Azure portal, CLI, Resource Manager templates, or other methods. When using the portal, you enter the public key itself. If you use the Azure CLI to create your VM with an existing public key, specify the value or location of this public key by running the az vm create command with the --ssh-key-value
option.
If you're not familiar with the format of an SSH public key, you can see your public key by running cat
as follows, replacing ~/.ssh/id_rsa.pub
with your own public key file location:
Output is similar to the following (here redacted):
If you copy and paste the contents of the public key file into the Azure portal or a Resource Manager template, make sure you don't copy any additional whitespace or introduce additional line breaks. For example, if you use macOS, you can pipe the public key file (by default, ~/.ssh/id_rsa.pub
) to pbcopy to copy the contents (there are other Linux programs that do the same thing, such as xclip
).
If you prefer to use a public key that is in a multiline format, you can generate an RFC4716 formatted key in a pem container from the public key you previously created.
To create a RFC4716 formatted key from an existing SSH public key:
SSH to your VM with an SSH client
With the public key deployed on your Azure VM, and the private key on your local system, SSH to your VM using the IP address or DNS name of your VM. Replace azureuser and myvm.westus.cloudapp.azure.com in the following command with the administrator user name and the fully qualified domain name (or IP address):
If you provided a passphrase when you created your key pair, enter the passphrase when prompted during the sign-in process. (The server is added to your ~/.ssh/known_hosts
folder, and you won't be asked to connect again until the public key on your Azure VM changes or the server name is removed from ~/.ssh/known_hosts
.)
If the VM is using the just-in-time access policy, you need to request access before you can connect to the VM. For more information about the just-in-time policy, see Manage virtual machine access using the just in time policy.
Use ssh-agent to store your private key passphrase
To avoid typing your private key file passphrase with every SSH sign-in, you can use ssh-agent
to cache your private key file passphrase. If you are using a Mac, the macOS Keychain securely stores the private key passphrase when you invoke ssh-agent
.
Verify and use ssh-agent
and ssh-add
to inform the SSH system about the key files so that you do not need to use the passphrase interactively.
Now add the private key to ssh-agent
using the command ssh-add
.
The private key passphrase is now stored in ssh-agent
.
Use ssh-copy-id to copy the key to an existing VM
If you have already created a VM, you can add a new SSH public key to your Linux VM using ssh-copy-id
.
Create and configure an SSH config file
You can create and configure an SSH config file (~/.ssh/config
) to speed up log-ins and to optimize your SSH client behavior.
The following example shows a simple configuration that you can use to quickly sign in as a user to a specific VM using the default SSH private key.
Sshd_config File Public Key
Create the file.
Edit the file to add the new SSH configuration
Add configuration settings appropriate for your host VM. In this example, the VM name is myvm and the account name is azureuser.
You can add configurations for additional hosts to enable each to use its own dedicated key pair. See SSH config file for more advanced configuration options.
Ssh Config File Key Finder
Now that you have an SSH key pair and a configured SSH config file, you are able to sign in to your Linux VM quickly and securely. When you run the following command, SSH locates and loads any settings from the Host myvm
block in the SSH config file.
The first time you sign in to a server using an SSH key, the command prompts you for the passphrase for that key file.
Next steps
Next up is to create Azure Linux VMs using the new SSH public key. Azure VMs that are created with an SSH public key as the sign-in are better secured than VMs created with the default sign-in method, passwords.