Using SSH keys in Linux/en: Difference between revisions

From Alliance Doc
Jump to navigation Jump to search
(Updating to match new version of source page)
(Updating to match new version of source page)
Line 43: Line 43:
<li>Verify permissions:  
<li>Verify permissions:  
:*use the <code>chmod 600 /home/USERNAME/.ssh/authorized_keys</code> command for file <code>/home/USERNAME/.ssh/authorized_keys</code>;
:*use the <code>chmod 600 /home/USERNAME/.ssh/authorized_keys</code> command for file <code>/home/USERNAME/.ssh/authorized_keys</code>;
:*use the <code>chmod 700 /home/USERNAME/.ssh</code> command for directory <code>/home/USERNAME/.ssh/</code>.
:*use the <code>chmod 700 /home/USERNAME/.ssh</code> command for directory <code>/home/USERNAME/.ssh/</code>;
:*ensure your home directory is writable only by yourself with <code>chmod go-w /home/USERNAME</code>. (You should never make your home directory writable by your group or other users for security reasons.)
<li>If you were logged in with admin privileges and used the <code>sudo</code> command when you created the <code>authorized_keys</code> file, make sure user <code>USERNAME</code> is the owner for
<li>If you were logged in with admin privileges and used the <code>sudo</code> command when you created the <code>authorized_keys</code> file, make sure user <code>USERNAME</code> is the owner for
:* directory <code>/home/USERNAME/.ssh</code> with the <code>sudo chown USERNAME:USERNAME /home/USERNAME/.ssh</code> command;
:* directory <code>/home/USERNAME/.ssh</code> with the <code>sudo chown USERNAME:USERNAME /home/USERNAME/.ssh</code> command;

Revision as of 19:39, 15 November 2019

Other languages:

Parent page: SSH

Creating a key pair

Before creating a new key pair, check to see if you already have one. Key pairs are typically located in the .ssh/ directory in your home directory. The default key names are id_rsa for the private key and id_rsa.pub for the public key.

To create a key pair, use the ssh-keygen command.

[name@server]$ ssh-keygen -b 2048 -t rsa

The output will be similar to

Generating public/private rsa key pair.
Enter file in which to save the key (/home/ubuntu/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/ubuntu/.ssh/id_rsa.
Your public key has been saved in /home/ubuntu/.ssh/id_rsa.pub.
The key fingerprint is:
ef:87:b5:b1:4d:7e:69:95:3f:62:f5:0d:c0:7b:f1:5e ubuntu@test-key
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|                 |
|           .     |
|            o .  |
|        S    o o.|
|         .  + +oE|
|          .o O.oB|
|         .. +oo+*|
|          ... o..|
+-----------------+

When prompted, enter a passphrase. If you already have key pairs saved with the default names, you may wish to enter a different file name for the new keys so as not to overwrite existing key pairs.

Connecting using a key pair

  1. Once your key pair has been created, copy the public key from your local machine (in our example, /home/ubuntu/.ssh/id_rsa.pub) to the /home/USERNAME/.ssh/authorized_keys file on the server you wish to connect to.
    If the authorized_keys file already exists, add your public key as a new line at the bottom of this file with an editor such as vim or nano.
  2. Verify permissions:
    • use the chmod 600 /home/USERNAME/.ssh/authorized_keys command for file /home/USERNAME/.ssh/authorized_keys;
    • use the chmod 700 /home/USERNAME/.ssh command for directory /home/USERNAME/.ssh/;
    • ensure your home directory is writable only by yourself with chmod go-w /home/USERNAME. (You should never make your home directory writable by your group or other users for security reasons.)
  3. If you were logged in with admin privileges and used the sudo command when you created the authorized_keys file, make sure user USERNAME is the owner for
    • directory /home/USERNAME/.ssh with the sudo chown USERNAME:USERNAME /home/USERNAME/.ssh command;
    • file authrorized_keys with the sudo chown USERNAME:USERNAME /home/USERNAME/.ssh/authorized_keys command.
  4. Finally test the new key by sshing to the remote machine from the local machine with
    [name@server]$ ssh -i /home/ubuntu/.ssh/id_rsa USERNAME@ADDRESS
    

    where

    • /home/ubuntu/.ssh/id_rsa specifies your private key file;
    • USERNAME is the user name on the remote machine;
    • ADDRESS is the address of the remote machine.

    If you have administrative access on the server and created the account for other users, they should test the connection out themselves and not disclose their private key.