Using SSH keys in Linux/en: Difference between revisions

Using SSH keys in Linux/en (view source)

Revision as of 19:34, 22 November 2019

580 bytes added , 4 years ago

Updating to match new version of source page

FuzzyBot

Bots

38,760

edits

@@ Line 4: / Line 4: @@
 =Creating a key pair=
-Before creating a new key pair, check to see if you already have one. Key pairs are typically located in the <code>.ssh/</code> directory in your home directory. The default key names are  <code>id_rsa</code> for the private key and <code>id_rsa.pub</code> for the public key.
+Before creating a new key pair, check to see if you already have one. If you do, but can't remember where you've used it, it's better to create a fresh one, since you shouldn't install a key of unknown security.
-To create a key pair, use the <code>ssh-keygen</code> command.
+Key pairs are typically located in the <code>.ssh/</code> directory in your home directory. By default, a key is named with an "id_" prefix, followed by the key type ("rsa", "dsa", "ed25519"), and the public key also has a ".pub" suffix.  So a common example is <code>id_rsa</code> and <code>id_rsa.pub</code>.
- <source lang="console">
+If you do need a new key, you can generate it with the <code>ssh-keygen</code> command:
+<source lang="console">
 [name@server]$ ssh-keygen -b 2048 -t rsa
+</source>
+(this example explicitly asks for a 2kbit RSA key, which is a reasonable choice.)
+The output will be similar to the following:
+<source lang="console">
+Generating public/private rsa key pair.
+Enter file in which to save the key (/home/username/.ssh/id_rsa):
+Enter passphrase (empty for no passphrase):
+Enter same passphrase again:
+Your identification has been saved in /home/username/.ssh/id_rsa.
+Your public key has been saved in /home/username/.ssh/id_rsa.pub.
+The key fingerprint is:
+ef:87:b5:b1:4d:7e:69:95:3f:62:f5:0d:c0:7b:f1:5e username@hostname
+The key's randomart image is:
++--[ RSA 2048]----+
+|                 |
+|                 |
+|           .     |
+|            o .  |
+|        S    o o.|
+|         .  + +oE|
+|          .o O.oB|
+|         .. +oo+*|
+|          ... o..|
++-----------------+
 </source>
-The output will be similar to
+When prompted, enter a passphrase. If you already have key pairs saved with the default names, you may wish to enter a different file name for the new keys to avoid overwriting existing key pairs.
- Generating public/private rsa key pair.
+=Installing the public part of the key=
- Enter file in which to save the key (/home/ubuntu/.ssh/id_rsa):
- Enter passphrase (empty for no passphrase):
+The simplest, safest way to install a key to a remote system is using the ssh-copy-id command:
- Enter same passphrase again:
+<source lang="console">
- Your identification has been saved in /home/ubuntu/.ssh/id_rsa.
+ssh-copy-id -i mynewkey graham.computecanada.ca:
- Your public key has been saved in /home/ubuntu/.ssh/id_rsa.pub.
+</source>
- The key fingerprint is:
+This assumes that the new keypair is named "mynewkey" and "mynewkey.pub", and that your username on the remote machine is the same as your local username.
- ef:87:b5:b1:4d:7e:69:95:3f:62:f5:0d:c0:7b:f1:5e ubuntu@test-key
- The key's randomart image is:
- +--[ RSA 2048]----+
- |                 |
- |                 |
- |           .     |
- |            o .  |
- |        S    o o.|
- |         .  + +oE|
- |          .o O.oB|
- |         .. +oo+*|
- |          ... o..|
- +-----------------+
-When prompted, enter a passphrase. If you already have key pairs saved with the default names, you may wish to enter a different file name for the new keys so as not to overwrite existing key pairs.
+If necessary, you can do this "manually" - in fact, ssh-copy-id isn't doing anything very magic.  It's simply connecting to the remote machine, and placing the public key into <code>.ssh/authorized_keys</code> in your home directory there.  The main benefit from using <code>ssh-copy-id</code> is that it will create files and directories if necessary, and will ensure that the permissions on them are correct.  You can do it entirely yourself by copying the public key file to the remote server, then:
+<code>
+mkdir ~/.ssh
+cat id_rsa.pub >> ~/.ssh/authorized_keys
+chmod --recursive go-rwx .ssh
+chmod go-w ~
+</code>
+SSH is picky about permissions, on both the client and the server.  SSH will fail if the following conditions are not met:
+<ul>
+<li>The private key file must not be accessible to others. <code> chmod go-rwx id_rsa </code>
+<li>Your remote home directory must not be writable by others <code> chmod go-w ~ </code>
+<li>Same for your remote ~/.ssh and ~/.ssh/authorized_keys <code> chmod --recursive go-rwxw ~/.ssh </code>
+</ul>
+Note that debugging the remote conditions may bot be obvious without the help of the remote machine's system administrators.
 =Connecting using a key pair=
-<ol>
-<li>Once your key pair has been created, copy the public key from your local machine (in our example, <code>/home/ubuntu/.ssh/id_rsa.pub</code>) to the <code>/home/USERNAME/.ssh/authorized_keys</code> file on the server you wish to connect to.
-:If the <code>authorized_keys</code> file already exists, add your public key as a new line at the bottom of this file with an editor such as vim or nano.</li>
-<li>Verify permissions:
-:*use the <code>chmod 600 /home/USERNAME/.ssh/authorized_keys</code> command for file <code>/home/USERNAME/.ssh/authorized_keys</code>;
-:*use the <code>chmod 700 /home/USERNAME/.ssh</code> command for directory <code>/home/USERNAME/.ssh/</code>;
-:*ensure your home directory is writable only by yourself with <code>chmod go-w /home/USERNAME</code>. (You should never make your home directory writable by your group or other users for security reasons.)
-<li>If you were logged in with admin privileges and used the <code>sudo</code> command when you created the <code>authorized_keys</code> file, make sure user <code>USERNAME</code> is the owner for
-:* directory <code>/home/USERNAME/.ssh</code> with the <code>sudo chown USERNAME:USERNAME /home/USERNAME/.ssh</code> command;
-:* file <code>authrorized_keys</code> with the <code>sudo chown USERNAME:USERNAME /home/USERNAME/.ssh/authorized_keys</code> command.</li>
 <li>Finally test the new key by sshing to the remote machine from the local machine with
 <source lang="console">[name@server]$ ssh -i /home/ubuntu/.ssh/id_rsa USERNAME@ADDRESS</source>