SSH Keys

From Alliance Doc
Revision as of 15:24, 30 September 2020 by Diane27 (talk | contribs)
Jump to navigation Jump to search
Other languages:

Parent page: SSH

SSH relies on public key cryptography (PK) for its security. PK is based on a "keypair", which consists of a private part (to be kept secret) and a public part, which can be disseminated freely. Anyone can use the public key to encode a message, but only someone who knows the private key can decode the message. PK can also be used to verify identities: if someone is claiming to be Alice, then a second party, Bob, can send Alice a message encoded with Alice's public key. If the person claiming to be Alice can then tell Bob what is in the message, then that person has access to Alice's private key.

PK systems are the basis for the SSL and TLS protocols that protect most internet traffic, such as https websites.

On our systems, PK is used in SSH several ways:

When connecting to our systems, your ssh client normally our system's public key to ensure that it has connected to the real (authentic) server.
The PK is used to establish an encrypted session so that all following traffic is secure from eavesdropping.
The remote system can use your public key (found in .ssh/authorized_keys in your home folder) to verify your identity. If that fails, the remote system can ask for your password. This is really a secondary authentication mechanism, and is less desirable because your password is handled and possibly exposed.

We strongly recommend using PK for authentication. This requires some additional configuration, but winds up being both more secure and more convenient.

To use keys for authentication, you must:

  • Generate a key pair (private and public)
  • Copy the public key to remote systems you want to log into and add it to your .ssh/authorized_keys file (see using ssh keys in linux)
  • Ensure permissions are set properly, as described in using ssh keys in linux
  • Test.

When generating a key pair, you must supply a strong passphrase. If you do not supply a passphrase, or if it can be guessed, then anyone who obtains a copy of your private key can login to any machines where the public key is installed.

The process of generating an ssh key pair will depend on the operating system you use. For the Windows Putty or MobaXterm clients, see Generating SSH keys in Windows. For a Unix-like environment (Linux, Mac, Windows Subsystem for Linux or Cygwin), see Using SSH keys in Linux. In addition if you are using the cloud, OpenStack also provides a method for creating keypairs see the ssh key pair section on the cloud quick start page.

Here are some links to two-minute videos on setting up SSH keys: