SSH-Keys
SSH-keys are an alternate form of identification (alternate to username/password) that can be used to authenticate access to resources that are available using SSH or SFTP. They can enhance the security of your account in some circumstances, if password based authentication is replaced with key based authentication.
An SSH-Key has security advantages to username/passwords - they are not vulnerable to brute force password attacks, or keystroke logging, or just using poorly chosen passwords. Unfortunately, SSH-Keys do not disable password authentication on existing accounts, they just provide an alternate method for authenticating.
It is possible to lock accounts so that they can only be accessed using SSH-keys, and this may be done when provisioning instructors with cloud provided servers, or supporting Gitlab Continuous Integration automation.
How it works
- You must generate SSH public/private key pair that uniquely identifies you.
- A copy of your public key (.pub file) is transferred to the SSH remote account you want to use.
- Your private key stays with you locally and is secured in your computer, local account or client software.
When you login to an SSH or SFTP service, you use your login id and your local private SSH key. The remote service verifies your credentials using your public key you registered with the service and authenticates you. No password is required to authenticate.
Security Considerations
- Your private key must stay secret!
- Adding an SSH-keys does not disable password authentication.
- Enabling a pass-phrase on your private key greatly enhances its security.
- If you loose your private-key or somebody gets a copy of it, anyone can use it if you did not generate a passphrase for it. You must keep your private key secure.
Creating an SSH public/private key pair
STEP 1: Create an SSH-Key on Linux, Apple or Windows 10
On your local client computer that you will be using to log in from, create an ssh-key pair with ssh-keygen
.
If you assign your new key a unique file name, you can make it single purpose for logging into a specific computer (like an sftp server). Otherwise with the default key name (id_rsa), the key will be automatically loaded for all connections:
If you loose your private-key or somebody gets a copy of it, anyone can use it if you did not generate a passphrase for it. You must keep your private key secure.
Generating an SSH-KEY from Linux and Apple command-line terminal
$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (~/.ssh/id_rsa):
Enter passphrase (empty for no passphrase): *********
Enter same passphrase again: *********
Your identification has been saved in id_rsa.
Your public key has been saved in id_rsa.pub.
The key fingerprint is:
f4:ba:40:56:c8:c6:fd:b3:5b:23:34:57:c4:b1:60:2e *****@*****.local
Your public key is stored in the file id_rdsa.pub.
Your private key is stored in id_rsa - keep it secured, don't loose it!
Generating an SSH-KEY from Windows command-line
C:\>ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (C:\Users\<USERNAME>/.ssh/id_rsa):
Enter passphrase (empty for no passphrase): ***********
Enter same passphrase again: ***********
Your identification has been saved in C:\Users\<USERNAME>/.ssh/id_rsa.
Your public key has been saved in C:\Users\<USERNAME>/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:xM2+yY5X2Zhz3g1qfLIXmrPA7lg1HtF3RyYDTcE0y40 <USERNAME>@<HOSTNAME>
STEP 2: Copy the PUBLIC key to the remote SSH/SFTP account you want to use it with.
Your public key is a text string stored in the newly created file with the .pub
extension created by the ssh-keygen command. It does not compromise your accounts security to have a public key be visible to others - you could safely email a public key to someone without compromising access to your account.
Note: an
authorized_keys
file used for SSH-KEY authorization, can contain multiple SSH-keys which could allow multiple accounts from different login hosts to access the same remote shared account with different SSH-keys.
The instructions provided below copy a single SSH-KEY to a remote account. Individuals wanting to use multiple SSH-KEYS on an account will need to append their SSH-KEY to existingauthorized_keys
file rather than copying a file with a single key in it.
On Linux and Apple client platforms, the generated public key file (id_rsa.pub) is stored by default in the user home directory /home/<username>/.ssh/id_rsa.pub
and must be copied from there. Please note that on linux/mac OS computers, directories starting with a period are “hidden” directories and not visible in GUI file browsers.
Manually Copy a Public key from Apple or Linux computers
$ cp ~/.ssh/id_rsa.pub authorized_keys
$ sftp user@remote-host
sftp> cd .ssh
sftp> put authorized_keys
Uploading authorized_keys to /.ssh/authorized_keys
sftp> exit
On Windows client platforms, the contents of the generated public key file (id_rsa.pub) is stored by default in the user profile directory C:\Users\<username>\.ssh\id_rsa.pub
and must be copied from there.
Manually Copy Public keys on Windows computers
C:\>copy id_rsa.pub authorized_keys
1 file(s) copied.
C:\>sftp <USERNAME>@remote_host
<USERNAME>@remote_host's password: *********
Connected to <USERNAME>@remot_host.
sftp> cd .ssh
sftp> put authorized_keys
Uploading authorized_keys to /.ssh/authorized_keys
sftp> exit
Using an SSH-key to Authenticate
SSH Login to remote host using private SSH-key
$ ssh -i ~/.ssh/my_key_file user@remote-host
Enter passphrase for key '/home/user/.ssh/my_key_file': ******
SFTP Login to remote host using private SSH-key
$ sftp -i ~/.ssh/my_key_file user@remote-host
sftp> Enter passphrase for key '/home/user/.ssh/my_key_file': *******
If you did not have a passphrase on your private key, you will not be prompted, otherwise your local SSH client will be prompted for your passphrase before the SSH-key is validated.
More Information
Tutorial: SSH-Keys with Cyberduck
Tutorial: SSH-Keys with Gnome/Nautilus