Using a Username and Password to connect to your SSH Server is passé! It’s not secure, and can leave you vulnerable to a breach. Using SSH Key-Pairs, we will deploy encrypted keys for a more secure way to connect utilizing two-step authentication
Check out the OpenSSH Project Page for more information about OpenSSH
Using special key-pairs is the preferred and secure option to establish SSH connections, these keys consist of a Private Key and a Public Key. The Private Key stays on the client machine, this is also where the key is generated. The Public Key is is copied to a location on the server
Listed are the 4 types of keys supported by the ssh-keygen command
- DSA — It is an old Digital Signature Algorithm. A key size of 1024 would normally be used with it. DSA is no longer recommended
- ECDSA — It is an algorithm based on Elliptical curves, that is standardized by the US Government. It supports only a specific set of key sizes. Although it’s relatively new, it is supported by most SSH clients
- ED25519 — This algorithm is the most recent addition to OpenSSH. Support for this algorithm is not universal yet. Hence this is not recommended for general purpose applications
- RSA — is one of the oldest and most widely used public-key cryptosystems. With the advancements being made in factoring, RSA can be breakable soon since it’s based on it. Increasing the size of the key is recommended
Each type of Key has specific values for the Key Sizes
- ECDSA — the key size can only be one of 256 384, 521
- ED25519 — key length is fixed
- RSA — the minimum and default key-size is 1024, 4096 is recommended
- DSA — The key size must be exactly 1024 bits as specified by FIPS 186–2
Below is an example of the key-generation process. When the ssh-keygen command is run, it first asks for the location in which the key is to be saved. The second prompt asks for the passphrase and to repeat the passphrase for confirmation, it is good to have a passphrase for the key. You can keep pressing enter if you want to default all the options ( the default option is no passphrase)
$ ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/home/test_user/.ssh/id_rsa): /home/test_user/.ssh/id_test
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/test_user/.ssh/id_test.
Your public key has been saved in /home/test_user/.ssh/id_test.pub.
The key fingerprint is:
SHA256:X7sJY+eXGEQ1x48pQVbb+3rAJucww16yViyb8Z1nkwg [email protected]t_vm
The key's randomart image is:
| .o =.|
| . ..oo|
| o o o|
| S o.+ . |
| . [email protected] .|
| . =B+===|
Now the public and private keys are in the desired location on the client machine. The public key has to be dropped on the server, to enable SSH access with the key-pair that is generated. Note that, it is recommended to generate the private key on the client machine itself and not transfer the private key from one host to another for security reasons
The public key that is generated on the client-side has to be dropped on the server. The following steps are involved in this process
- creating a directory .ssh in the users home directory
- create a file called authorized_keys with file permission of 600
- Copying the key into the file
$ ssh [email protected]
# on the server
$ mkdir -p /home/test_user/.ssh
# creating authorized_keys file with read, write permission only to the owner
$ install -m 600 /dev/null .ssh/authorized_keys
# copy and paste the public key from the client on to the authorized_keys file on the server.
To have a one-liner and avoid copy-pasting, this command comes in handy
cat .ssh/id_rsa.pub | ssh [email protected] | "cat >> .ssh/authorized_keys"
[email protected]'s password
There is one more easy and official option to copy the public file on to the server of interest. The below command copies the public key to the desired location on the server.
ssh-copy-id -i /home/test_user/.ssh/id_test.pub [email protected]
After adding in the public key into the authorized_keys, you can now login into the server without a password
ssh [email protected]
# Welcome screen on the server
If you have multiple keys on the client, you can choose to use a specific key with the
ssh -i /home/test_user/.ssh/id_test test-server.com
Passing custom SSH options during file transfer:
SCP and Rsync are the most commonly used tools for file transfer between systems. The underlying protocol to set up a secure connection for these tools is SSH. You can pass in custom SSH options to SCP and Rsync with the following parameters
Specifying a different port and path to the key
# copying a file from server to the client
scp -i /home/test_user/test_key -P 2001 [email protected]_server.com:/home/test_user/backup.tar .rsync -avz -e "ssh -i $HOME/.ssh/id_test -p 2001" [email protected]:/from/dir/ /to/dir/
All these can be added to the ~/.ssh/config file as well, the details about which I will include in my future posts along with an introduction to ssh-agent.