Let's now discuss SSH keys, which are essential to how SSH establishes a connection. Using SSH keys are far more secure than inputting passwords, as the keys are much longer and cannot be cracked with brute force alone.
Keys serve several advantages over regular passwords:
ssh-keygen command, we can easily generate and review keys to be used with remote hosts. Keys come in pairs, and have different types.
Digital Signature Algorithm (DSA) is based on discrete logarithms, while RSA is based on large-number factorization. Both DSA and RSA encryptions are computationally difficult, which allows them to be used for security measures. DSA is considered easier to decrypt with a brute-force attempt than RSA since RSA utilizes a more random key hash generator.
DSA is faster than RSA upon encryption, but slower for decryption. RSA is the opposite.
There are other types of keys, but most SSH keys are based on DSA and RSA. You may look up other keytypes in
man page. To specify the type when creating the keys, pass in the
-t option. The default key type is RSA.
Another option you may specify is
-b. With this, you may specify the number of bits are used in the key. The greater the number of bits, the stronger your key is.
When creating new SSH keypairs, remember two things:
Generating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa): Created directory '/home/user/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_rsa. Your public key has been saved in /home/user/.ssh/id_rsa.pub. The key fingerprint is: cc:ac:8e:22:70:dd:67:97:a9:e4:de:f6:27:ea:37:c1 email@example.com The key's randomart image is: +--[ RSA 2048]----+ | | | | | | | + | | . . S + | |. . . ..+ + E | |.. .= o . | |. . o o.. + . | | . .. ...o++.+ | +-----------------+
Congratulations! You have just created your first SSH keypairs. They will be located in your ~/.ssh directory.
$ ls ~/.ssh id_rsa id_rsa.pub
id_rsa is your private key. This stays on your local system, and you should never share it with anyone - not even your own mother! id_rsa.pub is the public key, which is uploaded to remote servers.
For fun, let's also generate the dsa type. Then you'll end up with two additional files in your .ssh directory.
$ ssh-keygen -t dsa
Generating public/private dsa key pair. Enter file in which to save the key (/home/user/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_dsa. Your public key has been saved in /home/user/.ssh/id_dsa.pub. The key fingerprint is: e4:97:ff:00:03:0b:25:d5:cc:64:c4:66:96:d8:b0:53 firstname.lastname@example.org The key's randomart image is: +--[ DSA 1024]----+ | ..+@E. | | o.+@ | | . =+ | | + + . | | S = | | . + | | o | | o | | . | +-----------------+ $ ls ~/.ssh id_dsa id_dsa.pub id_rsa id_rsa.pub
Remember that by default, SSH uses the more complex keypair when more than one pair exists. Thus, id_rsa would be used here.
The private key is stored on your local computer, and should never be shared with anyone. A public key, on the other hand, is copied to all remote servers you wish to access. We'll see how to do this shortly.
So what's the use of having a private and public key? The private and public keys are used to establish a secure connection and generate what's known as symmetric session keys. These keys are then then used to encrypt and decrypt messages across the network.
Now that we've generated keys and understood their purpose, let's learn how to copy our public keys to the remote server we wish to access.
You may manually copy the public key by appending the contents of the public key to the end of ~/.ssh/authorized_keys, located on the server you wish to access.
$ cat ~/.ssh/id_rsa.pub | ssh email@example.com "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
Notice that we simply issued a command after the
ssh command. With this, we can run a single line of commands on the server without having to login.
This command will write out the public key to the authorized_keys file. This holds all machines with public keys that should be accepted.
An easier way to perform the same function is with the
ssh-copy-id command, which is only available on Linux distributions (sorry Mac OS X users). If you have more than one type of key within your ~/.ssh directory, the more secure one will be transferred (this usually means RSA).
$ ssh-copy-id firstname.lastname@example.org
Without a passphrase, you could access the server without a password! Great...but kind of insecure, no?
However, if you decided to follow this guide and inputted a passphrase, you'll be prompted for the passphrase. Secure? Yes. Convenient? No. To learn how to avoid inputting the passphrase every time, we'll need to learn how to use
The Linux Command Line takes you from your very first terminal keystrokes to writing full programs in Bash, the most popular Linux shell. Along the way you'll learn the timeless skills handed down by generations of gray-bearded, mouse-shunning gurus: file navigation, environment configuration, command chaining, pattern matching with regular expressions, and more.$ Check price
Ever feel achy from sitting crunched up on your computer table? Try lying down with these optical glasses that allow you to work on your laptop while lying flat on your back. This is the perfect solution with those with limited mobility or those who wish to prevent neck cramps and back strains.$ Check price