02. SSH Keys and Uploading onto the Server RSA, DSA

Let's now discuss SSH keys, which are essential to how SSH establishes a connection. Using SSH keys are far more secure than inputting passwords, as the keys are much longer and cannot be cracked with brute force alone.

Why use keys?

Keys serve several advantages over regular passwords:

  • The key never leaves the local machine, unlike passwords and passphrases. Every time you type in your password there's a chance it gets stolen (e.g. by a keylogger).
  • With the SSH tools introduced shortly, there will be no need to type in a password every time you login to a remote server.
  • With a key, a man in the middle cannot hijack your session.

Generating SSH Keys

With the ssh-keygen command, we can easily generate and review keys to be used with remote hosts. Keys come in pairs, and have different types.

DSA and RSA

Digital Signature Algorithm (DSA) is based on discrete logarithms, while RSA is based on large-number factorization. Both DSA and RSA encryptions are computationally difficult, which allows them to be used for security measures. DSA is considered easier to decrypt with a brute-force attempt than RSA since RSA utilizes a more random key hash generator.

DSA is faster than RSA upon encryption, but slower for decryption. RSA is the opposite.

There are other types of keys, but most SSH keys are based on DSA and RSA. You may look up other keytypes in ssh-keygen's man page. To specify the type when creating the keys, pass in the -t option. The default key type is RSA.

Another option you may specify is -b. With this, you may specify the number of bits are used in the key. The greater the number of bits, the stronger your key is.

When creating new SSH keypairs, remember two things:

  • If you've already created SSH keys, there is no need to run the following command again unless you want different keys for different servers. The key generator will complain and you could end up overwriting your current settings, clearing all previously-established SSH connections.
  • Remember to input a passphrase! The longer the passphrase, the better. However, don't use well-known quotes or sayings, which are easily cracked by brute-force attempts.
$ ssh-keygen
Generating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa): Created directory '/home/user/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_rsa. Your public key has been saved in /home/user/.ssh/id_rsa.pub. The key fingerprint is: cc:ac:8e:22:70:dd:67:97:a9:e4:de:f6:27:ea:37:c1 user@sscho1.mylabserver.com The key's randomart image is: +--[ RSA 2048]----+ | | | | | | | + | | . . S + | |. . . ..+ + E | |.. .= o . | |. . o o.. + . | | . .. ...o++.+ | +-----------------+

Congratulations! You have just created your first SSH keypairs. They will be located in your ~/.ssh directory.

$ ls ~/.ssh
id_rsa    id_rsa.pub

id_rsa is your private key. This stays on your local system, and you should never share it with anyone - not even your own mother! id_rsa.pub is the public key, which is uploaded to remote servers.

For fun, let's also generate the dsa type. Then you'll end up with two additional files in your .ssh directory.

$ ssh-keygen -t dsa
Generating public/private dsa key pair. Enter file in which to save the key (/home/user/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_dsa. Your public key has been saved in /home/user/.ssh/id_dsa.pub. The key fingerprint is: e4:97:ff:00:03:0b:25:d5:cc:64:c4:66:96:d8:b0:53 user@sscho2.mylabserver.com The key's randomart image is: +--[ DSA 1024]----+ | ..+@E. | | o.+@ | | . =+ | | + + . | | S = | | . + | | o | | o | | . | +-----------------+ $ ls ~/.ssh id_dsa id_dsa.pub id_rsa id_rsa.pub

Remember that by default, SSH uses the more complex keypair when more than one pair exists. Thus, id_rsa would be used here.

How Public/Private keys are used to Encrypt/Decrypt data

The private key is stored on your local computer, and should never be shared with anyone. A public key, on the other hand, is copied to all remote servers you wish to access. We'll see how to do this shortly.

So what's the use of having a private and public key? The private and public keys are used to establish a secure connection and generate what's known as symmetric session keys. These keys are then then used to encrypt and decrypt messages across the network.

Public keys are used to encrypt data, while private keys decrypt them.
Public keys are used to encrypt data, while private keys decrypt them.

Copying Public Keys to a Remote Server

Now that we've generated keys and understood their purpose, let's learn how to copy our public keys to the remote server we wish to access.

The manual method

You may manually copy the public key by appending the contents of the public key to the end of ~/.ssh/authorized_keys, located on the server you wish to access.

$ cat ~/.ssh/id_rsa.pub | ssh user@54.201.157.251 "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

Notice that we simply issued a command after the ssh command. With this, we can run a single line of commands on the server without having to login.

This command will write out the public key to the authorized_keys file. This holds all machines with public keys that should be accepted.

The more automated method

An easier way to perform the same function is with the ssh-copy-id command, which is only available on Linux distributions (sorry Mac OS X users). If you have more than one type of key within your ~/.ssh directory, the more secure one will be transferred (this usually means RSA).

$ ssh-copy-id user@54.201.157.251 

Without a passphrase, you could access the server without a password! Great...but kind of insecure, no?

However, if you decided to follow this guide and inputted a passphrase, you'll be prompted for the passphrase. Secure? Yes. Convenient? No. To learn how to avoid inputting the passphrase every time, we'll need to learn how to use ssh-agent.

Take your Linux skills to the next level!

Linux for Beginners

Take your Linux skills to the next level! Try Linux & UNIX

Linux for Beginners doesn't make any assumptions about your background or knowledge of Linux. You need no prior knowledge to benefit from this book. You will be guided step by step using a logical and systematic approach. As new concepts, commands, or jargon are encountered they are explained in plain language, making it easy for anyone to understand.

$ Check price
24.9924.99Amazon 4.5 logo(101+ reviews)

More Linux & UNIX resources

Aching back from coding all day?

Acupressure Mat & Pillow

Aching back from coding all day? Try Back Problems

Relieve your stress, back, neck and sciatic pain through 1,782 acupuncture points for immediate neck pain relief. Made for lower, upper and mid chronic back pain treatment, and improves circulation, sleep, digestion and quality of life.

$$ Check price
144.87144.87Amazon 4.5 logo(1,890+ reviews)

More Back Problems resources

Ad