ssh keygen and stuff

Written by Walter

This is just to remember how to install public keys.
Got it from here : ssh tutorial

About public key cryptography

Public key cryptography uses a public key to encrypt data and a private key to decrypt it. The name public key comes from the fact that you can make the encryption key public without compromising the secrecy of the data or the decryption key.

What this means is that it is safe to send your public key (i.e. the contents of the ~/.ssh/ file) in electronic mail or by other means e.g. to have a system administrator of a remote site install that key into your ~/.ssh/authorized_keys file. For anyone to actually gain access they need the corresponding private key (i.e. the decrypted contents of ~/.ssh/id_rsa) to identify themselves.

To further protect your private key you should enter a passphrase to encrypt the key when it is stored in the filesystem. This will prevent people from using it even if they gain access to your files.
Creating your authentication key

The very first step is to use ssh-keygen to create an authentication key for yourself. In most cases the defaults for this command are what you want.

Always, always, type in a good pass-phrase when prompted for one. It can be multiple words (i.e. spaces are just fine within the phrase), so you could choose a sentence that you can remember. Changing some of the words by misspelling them or by changing some of the letters into digits is highly recommended to increase the strength of your pass phrase.

Here is a sample session, your input is in bold. Note that the pass-phrase is not echoed back as you type it.

beowulf% ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/u/kim/.ssh/id_rsa): [RETURN]
Enter passphrase (empty for no passphrase): litt1e 1amp jumb3d
Enter same passphrase again: litt1e 1amp jumb3d
Your identification has been saved in /u/kim/.ssh/id_rsa.
Your public key has been saved in /u/kim/.ssh/
The key fingerprint is:

If you have multiple accounts you might want to create a separate key on each of them. I have separate keys for

* my office environment
* my private systems
* my Internet service provider (ISP) systems
* my university account

This allows me to limit access between these organizations, e.g. not allowing the university account to access my ISP account or the machines in the office. This enhances the overall security in case any of the authentication keys are compromised for some reason.
Changing your pass-phrase

You can change the pass-phrase at any time by using the -p option of ssh-keygen.

beowulf% ssh-keygen -p
Enter file in which the key is (/u/kim/.ssh/id_rsa): [RETURN]
Enter old passphrase: litt1e 1amp jumb3d
Key has comment '/u/kim/.ssh/id_rsa'
Enter new passphrase (empty for no passphrase): br0wn cow 3ats grass
Enter same passphrase again: br0wn cow 3ats grass
Your identification has been saved with the new passphrase.

The pass-phrases are not echoed as you type them.
Authorizing access

To allow access to a system for a given identity place the public key in your ~/.ssh/authorized_keys file on that system. All keys listed in that file are allowed access.

Usually you will want to authorize access to the local system using the local key (especially in an environment where multiple systems share the same home directory e.g. using NFS). Thus a good start is to copy the public key for your default identity into the ~/.ssh/authorized_keys file.

beowulf% cd ~/.ssh
beowulf% cp authorized_keys

You could now copy the ~/.ssh/authorized_keys file to other systems to allow access from the local system. One way to copy the file is to use the scp command, like this:

beowulf% scp -p ~/.ssh/authorized_keys hrothgar:.ssh/
kim@hrothgar’s password: YourPasswordHere
authorized_keys 100% 1839 1.2MB/s 00:00

As no identities have been authorized yet on the remote system, you will be asked for your regular login password as seen above. It will not be echoed as you type it. The Copying files between systems section has more information about scp.

Use a text editor to add more keys to the file. If you use cut and paste to copy the key make sure each key entry is a single line in the file. The keys to add are always the public keys (from files with the .pub extension).

NOTE: To gain access to restricted systems you might need to send your public key in electronic mail to the administrator of the system. Just include the contents of the ~/.ssh/ file in the message.
Directory and file permissions

If access to the remote system is still denied you should check the permissions of the following files on it:

* the home directory itself
* the ~/.ssh directory
* the ~/.ssh/authorized_keys file

The permissions should allow writing only by you (the owner). This example shows the most relaxed permissions you could use.

hrothgar% cd
hrothgar% ls -ld . .ssh .ssh/authorized_keys
drwxr-xr-x 36 kim kim 4096 Jul 25 02:24 .
drwxr-xr-x 2 kim kim 512 Apr 10 02:30 .ssh
-rw-r--r-- 1 kim kim 1674 Apr 10 02:29 .ssh/authorized_keys

To make the remote system allow access you must change the permissions to disallow writing by others than the owner.

hrothgar% cd
hrothgar% chmod go-w . .ssh .ssh/authorized_keys

Remember to do this on all the systems you want to have access to.

Back to archive