I rarely use password login. And many folks out there even today aren't sure about ssh keys and their usage.
Everything about SSH Keys.
A Thread π
Everything about SSH Keys.
A Thread π
What is SSH?
SSH is a secure protocol used as the primary means of connecting to Linux servers remotely. It provides a text-based interface by spawning a remote shell. After connecting, all commands you type in your local terminal are sent to d remote server and executed there.
SSH is a secure protocol used as the primary means of connecting to Linux servers remotely. It provides a text-based interface by spawning a remote shell. After connecting, all commands you type in your local terminal are sent to d remote server and executed there.
Today, the SSH protocol is widely used to login remotely from one system into another, and its strong encryption makes it ideal to carry out tasks such as issuing remote commands and remotely managing network infrastructure and other vital system components.
How SSH works?
SSH conn is implemented using a client-server model. The remote system must be running a piece of sw called an SSH daemon. This sw listens for conn on a specific nw port, authenticates conn requests, & spawns d appropriate env if d user provides d correct creds.
SSH conn is implemented using a client-server model. The remote system must be running a piece of sw called an SSH daemon. This sw listens for conn on a specific nw port, authenticates conn requests, & spawns d appropriate env if d user provides d correct creds.
How SSH Authenticates Users?
Clients generally authenticate either using passwords (less secure and not recommended) or SSH keys, which are very secure.
Clients generally authenticate either using passwords (less secure and not recommended) or SSH keys, which are very secure.
Diff b/n password login and ssh key login-
Password Login -
With password login, you first establish a secure encrypted channel to the remote system, and then send your username and password to that system.
Password Login -
With password login, you first establish a secure encrypted channel to the remote system, and then send your username and password to that system.
The remote system then compares those credentials with whatever mechanisms are set in place (local, ldap, etc), and determines whether you provided the correct password and whether you are authorized to log in.
SSH Keys Login -
With ssh key exchange, you establish a secure encrypted channel, then the remote system sends a random block of data for you to "sign" and you pass back the signed block.
With ssh key exchange, you establish a secure encrypted channel, then the remote system sends a random block of data for you to "sign" and you pass back the signed block.
If the signature verification passes with the public key set up on that remote system, you pass the credential check and it continues to see if you are authorized.
SSH keys are a matching set of cryptographic keys which can be used for authentication. Each set contains a public and a private key. The public key can be shared freely without concern, while the private key must be vigilantly guarded and never exposed to anyone.
The main diff here is that the private key used for logging in is never sent over the wire, whereas with password login the password is sent to the remote system. If d remote system were compromised, and collected passwords from ssh logins, it could not do the same for ssh keys.
Always keep you Private Keys Safe!
You MUST guard your private key! If you leave that laying around everywhere, it's like writing your password on the wall.
You MUST guard your private key! If you leave that laying around everywhere, it's like writing your password on the wall.
To authenticate using SSH keys, a user must hv an SSH key pair on their local system. On d remote server, d public key must be copied to a file within d user home dir at ~/.ssh/authorized_keys. This file contains a list of public keys, one-per-line, that r authorized to login.
How to set it up?
You can generate a keypair with the command:
ssh-keygen -t rsa -b 4096
You can generate a keypair with the command:
ssh-keygen -t rsa -b 4096
That creates a 4096 bit rsa keypair. You may have less bits in ur key size. By default, this creates files in ~/.ssh/id_rsa for d private key & ~/.ssh/id_rsa.pub for the public key. Now we hv our keypair, all we need to do is drop d public key on systems & we can start using it.
You can use the utilities in the openssh package to push the public key, this helps a little by creating the authorized_keys file with the correct permissions for us.
You can push your new ssh public key with ssh-copy-id:
ssh-copy-id -i ~/.ssh/id_rsa root@lco-linux-worker1
You can push your new ssh public key with ssh-copy-id:
ssh-copy-id -i ~/.ssh/id_rsa root@lco-linux-worker1
Let's Test it.
ssh -i ~/.id_rsa root@lco-linux-worker1 "uname -a"
If it gives u d output of uname from d remote system w/o prompting for your password (it may prompt for key decryption phrase, depending on whether you chose to encrypt ur key during generation), then you're set
ssh -i ~/.id_rsa root@lco-linux-worker1 "uname -a"
If it gives u d output of uname from d remote system w/o prompting for your password (it may prompt for key decryption phrase, depending on whether you chose to encrypt ur key during generation), then you're set
What If this doesn't work?
You can start with checking permissions on directories and the authorized_keys file. Another place to look is the sshd_config on the remote system to make sure PubkeyAuthentication isn't disabled.
You can start with checking permissions on directories and the authorized_keys file. Another place to look is the sshd_config on the remote system to make sure PubkeyAuthentication isn't disabled.
Removing or Changing the Passphrase on a Private Key -
To change or remove the passphrase, simply type:
ssh-keygen -p
To change or remove the passphrase, simply type:
ssh-keygen -p
What is SSH Key Fingerprint and how to display it?
Key fingerprints are special checksums generated based on the public SSH key. Run against the same key, ssh-keygen command will always generate the same fingerprint.
Run ssh-keygen cmd to get dfingerprint of the id_rsa keypair
Key fingerprints are special checksums generated based on the public SSH key. Run against the same key, ssh-keygen command will always generate the same fingerprint.
Run ssh-keygen cmd to get dfingerprint of the id_rsa keypair
Something advanced -
If you encrypted your key during generation, and you get prompted for decryption phrase every time you use it, you may be wondering where the convenience is. Here's where ssh-agent comes in.
If you encrypted your key during generation, and you get prompted for decryption phrase every time you use it, you may be wondering where the convenience is. Here's where ssh-agent comes in.
What is SSH-Agent?
ssh-agent is ssh's authentication agent, described in it's man page as "ssh-agent is a program to hold private keys used for public key authentication". It's meant to hold private keys decrypted in-memory for ssh to use.
ssh-agent is ssh's authentication agent, described in it's man page as "ssh-agent is a program to hold private keys used for public key authentication". It's meant to hold private keys decrypted in-memory for ssh to use.
You start the agent, and load ur private keys from disk, giving d decrypt phrase for each one. Then through d day, when a key is needed, ssh talks to d agent & doesn't prompt for decrypt phrases. At d end of d day, the computer is shut down, & d keys are encrypted at rest again.
How to use ssh-agent?
Run the following command:
eval $(ssh-agent)
We use "eval" here because ssh-agent outputs variables we want our shell to pick up, like where the agent socket is and what pid the process is running.
Run the following command:
eval $(ssh-agent)
We use "eval" here because ssh-agent outputs variables we want our shell to pick up, like where the agent socket is and what pid the process is running.
Add you private key:
ssh-add ~/.ssh/id_rsa
And check it with:
ssh-add -l
ssh-add ~/.ssh/id_rsa
And check it with:
ssh-add -l
Forwarding ur SSH Creds to Use on a Server:
you can fw d auth agent socket thru ssh by using d "-A" option. This would allow you to use d agent from a remote host for d duration of d ssh session. It's kind of like having d priv key on d remote host without ever putting it there!
you can fw d auth agent socket thru ssh by using d "-A" option. This would allow you to use d agent from a remote host for d duration of d ssh session. It's kind of like having d priv key on d remote host without ever putting it there!
To start, you must have your SSH agent started and your SSH key added to the agent. After this is done, you need to connect to your first server using the -A option. This forwards your credentials to the server for this session.
ssh -A root@lco-linux-worker1
ssh -A root@lco-linux-worker1
β’ β’ β’
Missing some Tweet in this thread? You can try to
force a refresh
γ
