Overview
In this guide we will walk through steps of generating and connecting to the host without password with ssh-keygen utility, this utility will create key pairs for automated authentication.What is SSH Keys
SSH Keys uses public key cryptography for authenticating hosts and users. This key is much more secured than older version of utilizing “.rhosts” file authentication method.In this method password is not stored in a file and in turn eliminates the possibility of password being compromised.
SSH Keys – Private Key
A private key that remains (only) with the user. It is imperative that key is in the possession of the specific user. A user has private key that corresponds to the public key of the server will be able to authenticate successfully.Ideally private keys have to be stored in a safe location, it should not be tampered, copied or shared with others. Private keys used for user authentication are called “Identity Keys”.
SSH Keys – Public Key
A public key that is copied to the SSH server(s). Anyone with a copy of the public key can encrypt data which can then only be read by the person who holds the corresponding private key.Once an SSH server receives a public key from a user and considers the key as trustworthy, then the server marks the key as authorized and subsequently its stored in “authorized_keys” file. These keys are called “Authorized Keys”.
SSH Keys – Algorithm
Each key has to be generated with specific type of algorithm, different algorithm provide different level of security the below table will give insight into each algorithm its purpose is described.| Algorithm | Description |
|---|---|
| rsa | It’s an old algorithm based on the difficulty of factoring large numbers. A key size with at least 2048 bits is
recommended for RSA;
4096 bits is much better. RSA is getting old and significant advances are being made in factoring. Choosing a different algorithm is recommended. In the near future RSA algorithm might be practically breakable. All SSH clients support this algorithm. |
| dsa | It’s an old US government Digital Signature Algorithm. It is based on the difficulty of computing discrete algorithms. A key size of 1024 would normally be used with it. DSA in its original form is no longer recommended. |
| ecdsa | Standardized by the US government, Elliptic Curve Digital Signature Algorithm or (ECDSA),
which uses elliptic curve. It’s probably a good algorithm for current applications. Only three key sizes are currently supported viz., 256, 384, and 521 bits. It’s recommend to utilize 521 bits, since the keys are still small and probably more secure than the smaller keys. Bigger the bits size safer the key. Most SSH clients currently support's this algorithm. |
| ed25519 | It’s a new algorithm added in OpenSSH. Support for it in clients is not yet universal. Its implementation in general purpose applications is not recommended for now; though it could leak if public key is incorrect. |
SSH Keys – Key Size
By default SSH key size that get's generated is with “2048” bits, to customize bit key size set the bit key size parameter “-b” while generating the ssh key.SSH Keys – Files and Locations
Each key file has important role to play, to understand each one of the file(s) and their importance, listed below are the file(s) and their location / along with their purpose is described.| Location & File | Purpose / Description |
|---|---|
| $HOME/.ssh/identity | This file contains the RSA private key when using the SSH protocol version 1. |
| $HOME/.ssh/identity.pub | This file contains the RSA public key for authentication when you are using the SSH protocol version 1. User has to copy contents in the $HOME/.ssh/authorized_keys file of the remote system where a user wants to login. |
| $HOME/.ssh/id_dsa | This file contains the protocol version 2 DSA authentication identity of the user. |
| $HOME/.ssh/id_dsa.pub | This file contains the DSA public key for authentication when you are using the SSH protocol version 2. User has to copy contents in the $HOME/.ssh/authorized_keys file of the remote system where a user wants to login. |
| $HOME/.ssh/id_rsa | This file contains the protocol version 2 RSA authentication identity of the user. This file should not be readable by anyone but the user. |
| $HOME/.ssh/id_rsa.pub | This file contains the protocol version 2 RSA public key for authentication. User has to copy contents in the $HOME/.ssh/authorized_keys file of the remote system where a user wants to login. |
SSH Keys – Permissions - Set
Each location / file has to be set to appropriate permission, location / purpose is described in below table.| Location / File | Set Permission - Command | Purpose / Description |
|---|---|---|
| User Home Folder | chmod go-w /home/$USER chmod g-w,o-w ~ |
User’s home directory on the server should NOT be writable by others. |
| .ssh Folder | chmod 700 /home/$USER/.ssh | SSH folder on the server needs 700. |
| authorized_keys | chmod 644 /home/$USER/.ssh/authorized_keys | authorized_keys has to be set to 644. |
| authorized_keys* | chmod 600 /home/$USER/.ssh/authorized_keys | authorized_keys has to be set to 600; root user will also not have access, better security. |
| .ssh Folder | chown user:user /home/$USER/.ssh | user owns the files/folders and not root. |
| authorized_keys | chown user:user authorized_keys | user owns the files/folders and not root. |
SSH Keys – Permissions - Validation
In order to validate permission set on each folder / file, execute command as per the below table.| Location / File | Set Permission - Command | Long List – Command | Permission – View |
|---|---|---|---|
| Home Directory | chmod 755 ~ | ls -l ~ | 755 or (drwxr-xr-x) |
| .ssh (folder) | chmod 700 ~/.ssh | ls -l ~/.ssh | 700 or (drwx------) |
| .pub (public key file) | chmod 644 ~/.ssh/*.pub | ls -l ~/.ssh/*.pub | 644 or (-rw-r--r--) |
| id_rsa (private Key file) | chmod 600 ~/.ssh/*.id_rsa | ls -l ~/.ssh/*.id_rsa | 600 or (-rw-------) |
SSH Keys - Generation
Before you login to the server without password, you need to generate ssh keys and copy generated key on to the server and you can subsequently login.Generate SSH Key – RSA
Generating key is first and foremost task that we have to perform in order setup SSH Key, default Algorithm is “RSA” and key size is “2048”, to generate a new ssh key, run the command;ssh-keygen -t rsa -b 4096
Generate SSH Key – Private Key File
By default ssh key file is created as “id_rsa”, optionally you can set the name of the file.
Generate SSH Key – Passphrase
Optionally, you can set “passphrase” or key password for the ssh key, this passphrase will be keyed-in upon logging on to the server.
Generate SSH Key – Files
User’s private and public key generated files will be default stored in “$HOME/.ssh/” folder, wherein “id_rsa” is a private key file and “id_rsa.pub” is a public key file. In this step key’s “fingerprint” is defined along with algorithm type and key bits will will also be displayed.
Generate SSH Key – Copy ID
Once the ssh key is generated, next step is to copy the ssh key; to copy run the command;ssh-copy-id mvcp@salt
SSH Keys – Connect
After copying the ssh key; you can connect to the server without password, ssh key copied with command ssh-copy-id will be verified and validated and user will be logged into the server automatically, to connect run the command;ssh mvcp@salt
No comments:
Post a Comment