TL;DR
Host keys secure a server (the host), verifying it’s who it says it is. User keys secure *your* access to servers, proving you are authorized. They have different purposes and locations on the system.
Understanding SSH Keys
SSH (Secure Shell) keys allow you to log in to remote servers without typing a password every time. There are two main types of keys involved:
1. Host Keys
- Purpose: Host keys identify the server you’re connecting to. They prevent “man-in-the-middle” attacks where someone tries to pretend to be the server.
- Location: Stored on your client machine (your computer). Specifically, in the
~/.ssh/known_hostsfile. - How it works: When you connect to a server for the first time, SSH asks you to verify the server’s host key fingerprint. If you accept, that key is added to your
known_hostsfile. Subsequent connections check this key. - Example: Imagine a passport. The server presents its “passport” (host key). Your computer checks if it matches what it expects.
- Key Files: Common host key files on the server include:
/etc/ssh/ssh_host_rsa_key/etc/ssh/ssh_host_ecdsa_key/etc/ssh/ssh_host_ed25519_key
2. User Keys
- Purpose: User keys authenticate *you* to the server. They prove you have permission to log in.
- Location: Stored on both your client machine and the server (in the user’s authorized_keys file).
- How it works: You generate a key pair (private and public key) on your client. You copy the *public* key to the server, into the
~/.ssh/authorized_keysfile of the user account you want to access. When you connect, SSH uses these keys to verify your identity. - Example: Imagine a door key. The server has a lock (expects a specific public key). You have the key (private key) that opens it.
- Key Files: Common user key files include:
- Client:
~/.ssh/id_rsa(private key – keep this SECRET!) - Client:
~/.ssh/id_rsa.pub(public key – can be shared) - Server:
~/.ssh/authorized_keys(stores public keys allowed to connect)
- Client:
3. Key Differences Summarised
| Feature | Host Key | User Key |
|---|---|---|
| Purpose | Server identification | User authentication |
| Location (Client) | ~/.ssh/known_hosts |
~/.ssh/id_rsa, ~/.ssh/id_rsa.pub |
| Location (Server) | /etc/ssh/...key |
~/.ssh/authorized_keys |
| Sharing | Not shared; verified on first connection. | Public key is shared with the server. Private key remains secret. |
4. Practical Example: Generating and Using Keys
To generate a user key pair:
ssh-keygen -t rsa -b 4096This creates a new RSA key with a bit length of 4096. You’ll be prompted for a filename and passphrase.
To copy your public key to the server (using ssh-copy-id):
ssh-copy-id user@server_addressReplace user with your username on the server and server_address with the server’s address.
5. Cybersecurity Considerations
- Protect Your Private Key: Never share your private key (e.g.,
~/.ssh/id_rsa). If it’s compromised, someone can access your servers. - Host Key Verification: Always verify the host key fingerprint when connecting to a new server for the first time.
- Key Rotation: Regularly rotate your SSH keys (generate new ones) as a security best practice.