SSH private key

[fred974]

Hello everyone

I have to implement a stronger login security to my server. So I decided to use SSH private key authentication. My question is: do I need a public and private key for each individual user on the server or do I use the same key for everyone? Last question is: can any user run this command or does it have to be root?

mkdir .ssh
chmod 700 .ssh
cd .ssh
cat ../id_rsa_mydesktop.pub >> authorized_keys

Thank you all.

Fred

 

[fonz]

The former.

 

[SirDice]

Do I need a public and private key for each individual user on the server or do I use the same key for everyone?

Every user needs to have his or her own public and private key. It's the private key that authenticates a user.

Last question is:
Can any user run this command or does it have to be root?

mkdir .ssh
chmod 700 .ssh
cd .ssh
cat ../id_rsa_mydesktop.pub >> authorized_keys

Yes.

 

[fred974]

Hi @SirDice,

Did you say yes for

any user run this command

or

it have to be root to run this command

Thank you.

 

[fonz]

You asked "A or B". A is true, so "A or B" is also true

For your reference: A means that every user can run it, B means it requires root.

 

[dvl@]

Fred: you want each user to have their own private/public key pair. Any user can generate their own keys.

 

[fred974]

Thank you guys,

I tried and tested. All is working good

 

[fred974]

Fred: you want each user to have their own private/public key pair. Any user can generate their own keys.

Just one more question. What will happen when I create a new user? Will they be able to login without a key? As I have PasswordAuthentication no in sshd_config.

 

[fonz]

New users will have to create a public-private keypair on the machine they are logging in from (if they haven't done so already) and send you the public key, which you can put into their ~/.ssh/authorized_keys. From then on, they can manage things themselves (e.g. adding, changing or removing keys) and will only need your help if they somehow manage to lock themselves out.

 

[kpa]

Just to make it clear if you're wondering. It is perfectly safe to transmit the public keys in the clear in for example an email. It's only the matching private keys that have to be kept safe.

 

[fred974]

Thanks for clarifying guys

 

[throAU]

As per above - the private key should ideally be generated on the machine the user will be connecting from, or another machine - NOT the destination server. This is so that only the end user has a copy of their private key. No one else should have this!

If the client is a Windows machine, run putty-keygen to generate the key-pair, and copy the public key up to the server.

Whatever you do, do not store the user's private key on the server they are connecting to, especially if it is accessible from the internet.

The user can re-use their public key on any server they wish to log in to, and it will only need to be changed if their private key is compromised. If a user's private key is stolen, they MUST inform you, so you can remove the matching public key.

They should also be using passphrases on the private key, so that if it is stolen, you have a chance that the thief will be held up for a bit trying to crack the passphrase - assuming they haven't stolen that from somewhere too. If you are informed of a private key compromise, you need to remove the user's public key from your servers.

The private key is the equivalent of the user's password in password based authentication, and should be kept secure.