Server Side - Host Keys[edit]

SSH host keys should be generated before starting the SSH server. The OpenSSH daemon will not start if the keys are missing or world readable. On a Linux system, they reside in /etc/ssh.

The purpose of host keys is to ensure that when the client connects to the server, it is actually the server the client intended to connect to.

Key Generation[edit]

There are 4 types of keys that can be generated for SSHv2 using the ssh-keygen utility: DSA, RSA, ECDSA, ED25519.

Usage example:

ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key

Key Fingerprint[edit]

To get the SSH fingerprint of a remote host, use the ssh-keyscan and ssh-keygen utilities:

ssh-keyscan $1 > $$.tmp 2> /dev/null 
ssh-keygen -E md5 -lf $$.tmp
rm $$.tmp

For example, a server would produce:

2048 MD5:76:12:f7:27:59:6d:97:e7:32:db:18:10:4e:df:9a:61 csa (RSA)
256 MD5:bf:ae:71:b2:c2:d0:4d:03:f4:fe:93:12:6f:b7:36:ae csa (ECDSA)
256 MD5:10:8d:0d:d6:16:f4:42:11:1c:c5:06:1c:16:e0:76:c9 csa (ED25519)



SSH authentication is based on public key cryptography. The public and private key pair can be generated using one of 4 algorithms using SSHv2: DSA, RSA, ECDSA, and ED25519. SSHv2 is limited to only RSA1.

A client's public and private key pair should be stored in the ~/.ssh directory. By default, the SSH client will read the private key from ~/.ssh/id_rsa, ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, or ~/.ssh/id_ed25519 unless otherwise specified using the -i option.

Authorization based on key authentication is set using the ~/.ssh/authorized_keys file which contains one public key per line. In other words, a user is granted access if their public key exists in the ~/.ssh/authorized_keys file.

Enabling Password-less Key Authentication[edit]

To login to a remote host without needing to enter a password, create a public/private key pair without a password.

Security Warning
Having an insecure private key is a security risk. You may wish to secure it with a password and then unlock it using a keyring / SSH agent. Read on for more information.
# Generates the private/public key pair (~/.ssh/id_rsa, ~/.ssh/
# Use empty pass phrase if you do not want to enter a password for the key.
ssh-keygen -t rsa

# set the permissions of the .ssh directory to 700.
chmod 700 ~/.ssh

# set the permissions of the keys so no one else can read them.
chmod 600 ~/.ssh/*

Step #1 is complete as we now have a private key on your machine located in ~/.ssh/id_rsa. For Step #2, we will need to copy the contents of ~/.ssh/ into the remote machine's ~/.ssh/authorized_keys. eg:

cat ~/.ssh/ | ssh username@remote_machine "cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"

The above appends the contents of your into the remote machine's authorized_keys file and then sets permission. With this complete, Step #2 is complete and you should now be able to authenticate without using passwords.

ssh username@remote_machine

SSH Agents[edit]

Using password-less keys above is not ideal since security is solely based on the private key being secret. Your entire system basically can be compromised by copying a single file. One way to harden the key-based authentication is to have a passphrase set for the private key, but doing so will cause SSH to prompt for your key password every time you try to connect. To get around this, we can use something called SSH agents, which are programs that store your private keys. We can then use a keychain program to prompt for your password, then have these agents hold your key (and passphrase).

To do this, you will need 2 files:

  1. keychain
  2. bashrc

... for now, just copy my profile Bash_Profile