*nix Tip of the Day: SSH Private/Public Keys
Hello kind readers, and welcome to by *nix Tip of the Day. It's finals week, and I'm sort of slacking, so I thought I'd post some of my accumulated folk wisdom on the Internet, so that it might help others.
Today's topic is SSH Private/Public Keys. If any of you are CS majors,
or go to a tech-heavy school, or generally interact with Linux/OS
X/Solaris/HP-UX/AIX/any other *nix, you've probably used SSH. SSH,
at its most basic, is a replacement for telnet and rlogin; it allows you
to get a shell at a remote machine. However, it does so securely (hence,
Secure SHell) using strong encryption. SSH, particularly modern
implementations like OpenSSH also has other subsystems like
rcp, which is in turn a remote version of
sftp (a secure replacement for FTP), and such.
Most people, when using SSH, use password authentication. They type
ssh user@host and, when prompted, type in their login
host. This isn't necessarily a bad thing -- it's
braindead-easy to set up, generally secure, and works the same way as
remote logins have since the beginning of time.
There are some problems with this setup. One of the most obvious is that if you offer password authentication, your system's security is only as good as its worst password. Every user that picks "god" or "password" as his password paints a giant target on your machine.
Enabling password authentication, even if all of your users have strong passwords, still makes you a target. There are plenty of botnets out there that connect to servers and try sshing in with random usernames (and root, of course, but I assume you have root login disabled/restricted in SSH. You do, right? If not, go do so.). It's unlikely that they'll ever break a good password, but that's still traffic hitting your box. Disable password authentication, though, and they go away. Botnets (thankfully) never try to connect using anything else.
So, password authentication isn't great. What should you do instead? Well, it turns out that SSH supports something called public key authentication. The basic idea here is that the remote user has a small file called a private key that they keep with them (on their laptop, or on a flash drive). This key allows them to access the remote server (optionally without any password at all, although this is discouraged on a flash key or laptop) more securely. The authentication is done using either a DSA or RSA with a key-length of between 768 and 2048 bits, which is all technical stuff that you don't care about. Let's talk about setup.
The first thing to do is to prepare the client system and generate the key. The following commands should take care of that:
if [ ! -d ~/.ssh ] then mkdir ~/.ssh chmod 700 ~/.ssh ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_rsa chmod 600 ~/.ssh/* fi
When you are prompted for a password by ssh-keygen, you should enter something long that you will not forget. It should not be your account password. If you really trust the client system (for example, if it's a desktop machine with no remote login sitting inside a bank vault that nobody could ever break into), you can leave this field empty. But I do not recommend it.
But how do you go about using this key? Note that the keygen will have
created a file called
~/.ssh/id_rsa.pub. This is your public key, and
needs to be uploaded to every machine that you need access to. Let's
call the remote machine
remote and the local machine
following code should do what you need:
scp ~/.ssh/id_rsa.pub user@remote:~/local.pub ssh user@remote if [ ! -d ~/.ssh ] then mkdir ~/.ssh chmod 700 ~/.ssh fi cat local.pub >> ~/.ssh/authorized_keys chmod 600 ~/.ssh/authorized_keys rm local.pub exit
If all went well, you should now be able to log into
remote using your
public key. If you attempt to ssh user@remote, you should be
prompted "Enter passphrase for key '/home/user/.ssh/id_rsa'". Type in
the passphrase you entered during the key creation step and you're all
If typing in this passphrase all of the time seems like a pain in the rear to you, you're not alone. Check back later for the next article in the series, on the use of ssh-agent. It's awesome, I tell you.
Note: I am not responsible for any borkage that these commands might cause. As far as I know, they're correct, but I still disclaim any and all liability. Yadda yadda yadda.
Updated 2008-05-13 00:55 to use correct permissions for the contents of \~/.ssh