Line 107: Line 107:
{{Navbox Linux}}[[Category:Linux]]
{{Navbox Linux}}[[Category:Linux]]

Latest revision as of 16:34, 10 February 2020

see http://leo.steamr.com/2010/05/logging-in-via-ssh-keys/

Server Side - Host Keys[edit | edit source]

SSH host keys should be generated before starting the SSH server. The OpenSSH daemon will not start if the keys are missing or world readable. On a Linux system, they reside in /etc/ssh.

The purpose of host keys is to ensure that when the client connects to the server, it is actually the server the client intended to connect to.

Key Generation[edit | edit source]

There are 4 types of keys that can be generated for SSHv2 using the ssh-keygen utility: DSA, RSA, ECDSA, ED25519.

Usage example:

ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key

Key Fingerprint[edit | edit source]

To get the SSH fingerprint of a remote host, use the ssh-keyscan and ssh-keygen utilities:

ssh-keyscan $1 > $$.tmp 2> /dev/null 
ssh-keygen -E md5 -lf $$.tmp
rm $$.tmp

For example, a server would produce:

2048 MD5:76:12:f7:27:59:6d:97:e7:32:db:18:10:4e:df:9a:61 csa (RSA)
256 MD5:bf:ae:71:b2:c2:d0:4d:03:f4:fe:93:12:6f:b7:36:ae csa (ECDSA)
256 MD5:10:8d:0d:d6:16:f4:42:11:1c:c5:06:1c:16:e0:76:c9 csa (ED25519)

Client-Side[edit | edit source]

Introduction[edit | edit source]

SSH authentication is based on public key cryptography. The public and private key pair can be generated using one of 4 algorithms using SSHv2: DSA, RSA, ECDSA, and ED25519. SSHv2 is limited to only RSA1.

A client's public and private key pair should be stored in the ~/.ssh directory. By default, the SSH client will read the private key from ~/.ssh/id_rsa, ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, or ~/.ssh/id_ed25519 unless otherwise specified using the -i option.

Authorization based on key authentication is set using the ~/.ssh/authorized_keys file which contains one public key per line. In other words, a user is granted access if their public key exists in the ~/.ssh/authorized_keys file.

Enabling Password-less Key Authentication[edit | edit source]

To login to a remote host without needing to enter a password, create a public/private key pair without a password.

Security Warning
Having an insecure private key is a security risk. You may wish to secure it with a password and then unlock it using a keyring / SSH agent. More on this in the next section.

# Generates the private/public key pair (~/.ssh/id_rsa, ~/.ssh/id_rsa.pub)
# Use empty pass phrase if you do not want to enter a password for the key.
ssh-keygen -t rsa

# set the permissions of the .ssh directory to 700.
chmod 700 ~/.ssh

# set the permissions of the keys so no one else can read them.
chmod 600 ~/.ssh/*

Copy the public key to the remote host you wish to log in. You can either do this the complicated way, or use ssh-copy-id:

$ cat ~/.ssh/id_rsa.pub | ssh username@remote_machine "cat >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"
## or
$ ssh-copy-id username@remote_machine

Either command will append the contents of your public key into the remote machine's authorized_keys file and then sets permission. ssh-copy-id goes a step further by ensuring that the key doesn't already exist before adding it to the file. With this complete, you should now be able to authenticate using the private key.

ssh username@remote_machine

SSH Agents[edit | edit source]

Using a private key without a passphrase may be a security risk since a compromised key will allow anyone access to all systems using this key. One layer of security is to set a passphrase on the key. While this defeats the point of logging in to a system without a password, this can be worked around using SSH agents. SSH agents will unlock your private key and store it in memory for subsequent use. You can also configure SSH agent to 'forget' or timeout your key after a certain period of time.

A helper program called Keychain available at https://funtoo.org/Keychain makes it easy to use SSH agent. Load it in your .bashrc file to automatically start a SSH agent on first log in and to unlock any SSH keys that you wish to use.

# Attempt to load the keychain to unlock 'id_rsa' if on an interactive shell.
if [ "$PS1" ]; then
    eval `keychain --eval --agents ssh id_rsa`

Quick usage for keychain:

## To unlock a key for 60 minutes
$ keychain --timeout 60 ~/.ssh/id_rsa

## To clear any keys
$ keychain --clear

## To list the public key of unlocked SSH keys
$ keychain -L

## To list the RSA fingerprint of unlocked SSH keys
$ keychain -l

## Kill all agents
$ keychain -k all

Changing SSH Key Passphrase[edit | edit source]

If you wish to secure your SSH key with a password or wish to change the password, use ssh-keygen -p.

## Pass '-f ~/.ssh/id_rsa' to avoid being prompted.
$ ssh-keygen -p