====================================
Original post by J65nko @ daemonforums.org
====================================
* Introduction
* Generate public and private RSA key pair with 'ssh-keygen'
* View the RSA key pair
* Copy the public key 'id_rsa.pub' to the server
* Check the '.ssh/authorized_keys' file
* Home work/assignment
Introduction
Buried rather deep in the ssh(1) page, a very terse outline is given how public key authentication works, how to create keys and distribute them.
For more information about public key authentication see http://en.wikipedia.org/wiki/Public-key_cryptography.
These steps of the last paragraph are a little bit confusing because 'ssh' knows a ssh protocol 1 and a protocol 2. And in addition, two types of public keys are supported: RSA and DSA.
SSH protocol 1 is unsafe and should be avoided. See the Wikipedia ssh article.
Leaving out the protocol 1 stuff and only choosing RSA keys the procedure can be rephrased as follows:
Generate public and private RSA key pair with 'ssh-keygen'
From ssh-keygen(1):
Not being lazy we specify the RSA key type with the -t option.
A public key can be secured with a passphrase. By specifying a passphrase you will be prompted for this phrase, instead of the login password of the remote box.
ssh-keygen(1) has this to say about the passphrase:
The 'id_rsa' and 'id_rsa.pub' entries of the ssh-keygen(1) FILES section:
View the RSA key pair
Because it did not already exist ssh-keygen created a '.ssh' directory with very restricted permissions
Also the private key 'id_rsa' has very restricted file permissions: readable and writable by user only.
The public key 'id_rsa.pub' is readable by the world.
Copy the public key 'id_rsa.pub' to the server
Explanation of the command:
cat id_rsa.pub | ssh j65nko@192.168.222.44
The 'cat' program displays the contents of the 'id_rsa.pub>' on standard output. This output is piped through a ssh connection with 192.168.222.44, where it appeas on standard input.
The ssh connection is passed the command 'cat >>.ssh/authorized_keys', which will append the standard input to the file '.ssh/authorized_keys' on the 192.168.222.44 box. After this command has finished, the ssh connection will terminate.
IMPORTANT: Note the use of single quotes around the command. This is to prevent the current shell on the client machine from interpreting the shell ">>' file append symbols.
====================================
Original post by J65nko @ daemonforums.org
Original post by J65nko @ daemonforums.org
====================================
* Introduction
* Generate public and private RSA key pair with 'ssh-keygen'
* View the RSA key pair
* Copy the public key 'id_rsa.pub' to the server
* Check the '.ssh/authorized_keys' file
* Home work/assignment
Introduction
Buried rather deep in the ssh(1) page, a very terse outline is given how public key authentication works, how to create keys and distribute them.
For more information about public key authentication see http://en.wikipedia.org/wiki/Public-key_cryptography.
Code:
Public key authentication works as follows: The scheme is based on pub-
lic-key cryptography, using cryptosystems where encryption and decryption
are done using separate keys, and it is unfeasible to derive the decryp-
tion key from the encryption key. The idea is that each user creates a
public/private key pair for authentication purposes. The server knows
the public key, and only the user knows the private key. ssh implements
public key authentication protocol automatically, using either the RSA or
DSA algorithms. Protocol 1 is restricted to using only RSA keys, but
protocol 2 may use either. The HISTORY section of ssl(8) contains a
brief discussion of the two algorithms.
The file ~/.ssh/authorized_keys lists the public keys that are permitted
for logging in. When the user logs in, the ssh program tells the server
which key pair it would like to use for authentication. The client
proves that it has access to the private key and the server checks that
the corresponding public key is authorized to accept the account.
The user creates his/her key pair by running ssh-keygen(1). This stores
the private key in ~/.ssh/identity (protocol 1), ~/.ssh/id_dsa (protocol
2 DSA), or ~/.ssh/id_rsa (protocol 2 RSA) and stores the public key in
~/.ssh/identity.pub (protocol 1), ~/.ssh/id_dsa.pub (protocol 2 DSA), or
~/.ssh/id_rsa.pub (protocol 2 RSA) in the user's home directory. The us-
er should then copy the public key to ~/.ssh/authorized_keys in his/her
home directory on the remote machine. The authorized_keys file corre-
sponds to the conventional ~/.rhosts file, and has one key per line,
though the lines can be very long. After this, the user can log in with-
out giving the password.
These steps of the last paragraph are a little bit confusing because 'ssh' knows a ssh protocol 1 and a protocol 2. And in addition, two types of public keys are supported: RSA and DSA.
SSH protocol 1 is unsafe and should be avoided. See the Wikipedia ssh article.
Leaving out the protocol 1 stuff and only choosing RSA keys the procedure can be rephrased as follows:
Code:
The user creates his/her key pair by running ssh-keygen(1).
This stores the private key in ~/.ssh/id_rsa (protocol 2 RSA)
and stores the public key in ~/.ssh/id_rsa.pub (protocol 2 RSA)
in the user's home directory.
The user should then copy the public key to ~/.ssh/authorized_keys
in his/her home directory on the remote machine.
Generate public and private RSA key pair with 'ssh-keygen'
From ssh-keygen(1):
Code:
ssh-keygen generates, manages and converts authentication keys for
ssh(1). ssh-keygen can create RSA keys for use by SSH protocol version 1
and RSA or DSA keys for use by SSH protocol version 2. The type of key
to be generated is specified with the -t option. If invoked without any
arguments, ssh-keygen will generate an RSA key for use in SSH protocol 2
connections.
Not being lazy we specify the RSA key type with the -t option.
Code:
$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/j65nko/.ssh/id_rsa): Enter
Created directory '/home/j65nko/.ssh'.
Enter passphrase (empty for no passphrase): Enter
Enter same passphrase again: Enter
Your identification has been saved in '/home/j65nko/.ssh/id_rsa'.
Your public key has been saved in '/home/j65nko/.ssh/id_rsa.pub'.
The key fingerprint is:
40:e5:83:2a:bf:20:61:92:73:c7:7e:b6:13:da:05:e1 [email]j65nko@protogoras.utp.xnet[/email]
A public key can be secured with a passphrase. By specifying a passphrase you will be prompted for this phrase, instead of the login password of the remote box.
ssh-keygen(1) has this to say about the passphrase:
Code:
The program also asks for a passphrase. The passphrase may
be empty to indicate no passphrase (host keys must have an
empty passphrase), or it may be a string of arbitrary length.
A passphrase is similar to a password, except it can be a
phrase with a series of words, punctuation, numbers, whitespace,
or any string of characters you want. Good passphrases are
10-30 characters long, are not sim- ple sentences or otherwise
easily guessable (English prose has only 1-2 bits of entropy
per character, and provides very bad passphrases), and contain
a mix of upper and lowercase letters, numbers, and non-alphanu-
meric characters. The passphrase can be changed later by using
the -p option.
There is no way to recover a lost passphrase. If the passphrase
is lost or forgotten, a new key must be generated and copied
to the corresponding public key to other machines.
The 'id_rsa' and 'id_rsa.pub' entries of the ssh-keygen(1) FILES section:
Code:
~/.ssh/id_rsa
Contains the protocol version 2 RSA authentication identity of
the user. This file should not be readable by anyone but the us-
er. It is possible to specify a passphrase when generating the
key; that passphrase will be used to encrypt the private part of
this file using 3DES. This file is not automatically accessed by
ssh-keygen but it is offered as the default file for the private
key. ssh(1) will read this file when a login attempt is made.
~/.ssh/id_rsa.pub
Contains the protocol version 2 RSA public key for authentica-
tion. The contents of this file should be added to
~/.ssh/authorized_keys on all machines where the user wishes to
log in using public key authentication. There is no need to keep
the contents of this file secret.
View the RSA key pair
Because it did not already exist ssh-keygen created a '.ssh' directory with very restricted permissions
Code:
$ ls -ld .ssh
drwx------ 2 j65nko j65nko 512 Jun 16 20:27 .ssh
Also the private key 'id_rsa' has very restricted file permissions: readable and writable by user only.
The public key 'id_rsa.pub' is readable by the world.
Code:
$ ls -al .ssh
total 16
drwx------ 2 j65nko j65nko 512 Jun 16 20:27 .
drwxr-xr-x 3 j65nko j65nko 512 Jun 16 20:28 ..
-rw------- 1 j65nko j65nko 1675 Jun 16 20:27 id_rsa
-rw-r--r-- 1 j65nko j65nko 408 Jun 16 20:27 id_rsa.pub
Code:
$ cd .ssh
$ cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAnziCaL2QQVhGcGwNxjHkviWFLMrIyAvtoZytyVH+UduCnhySenOzU46CXC6qTSojhkM8
v6a4nZA40DGy85VzjyBNDyughcQZLDYouZ1iRB/N9TWIxGbuIrUtjpAD+hZzG5NbJ5uiClUJGu9kt8eeO4id47dxaSKTjB+p073AoPk+
O8CGNFAUisqIvD4iE/BxuB8rT6VUdoVsJjEINQD3MvF83LCNft2oUSmNQOo4kExONas37IajCpnnQMAEDOduwroR2rSUyeXrmOunzZYl
== j65nko@protogoras.utp.xnet
Copy the public key 'id_rsa.pub' to the server
Code:
$ cat id_rsa.pub | ssh j65nko@192.168.222.44 'cat >>.ssh/authorized_keys'
The authenticity of host '192.168.222.44 (192.168.222.44)' can't be established.
RSA key fingerprint is 1a:1f:ab:96:c7:ad:1a:3f:9c:e8:2d:73:0f:28:98:07.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.222.44' (RSA) to the list of known hosts.
j65nko@192.168.222.44's password: .......
cat id_rsa.pub | ssh j65nko@192.168.222.44
The 'cat' program displays the contents of the 'id_rsa.pub>' on standard output. This output is piped through a ssh connection with 192.168.222.44, where it appeas on standard input.
The ssh connection is passed the command 'cat >>.ssh/authorized_keys', which will append the standard input to the file '.ssh/authorized_keys' on the 192.168.222.44 box. After this command has finished, the ssh connection will terminate.
IMPORTANT: Note the use of single quotes around the command. This is to prevent the current shell on the client machine from interpreting the shell ">>' file append symbols.
====================================
Original post by J65nko @ daemonforums.org