Ssh Keys

SSH-Keys

SSH-keys are an alternate form of identification (alternate to username/password) that can be used to authenticate access to resources that are available using SSH. They can enhance the security of your SSH account in some circumstances, if password based authentication is not replaced with key based authentication.

An SSH-Key has security advantages to username/passwords - they are not vulnerable to brute force password attacks, or keystroke logging, or just guessing poorly chosen passwords. Unfortunately, SSH-Keys do not disable password authentication on existing accounts, they just provide an optional alternative method for authenticating.

How it works

  1. - You must an generate SSH public/private key pair that uniquely identifies you.
  2. - A copy of your public key is transferred to the SSH service you want to use.
  3. - Your private key stays with you and is secured in your computer, account or software.

When you login to an SSH service, you identify yourself with your login id and your private SSH key. The remote service verifies your credentials using your public key you transferred to the service and authenticates you. No password is required to authenticate.

Security Considerations

  1. - Your private key must stay secret!
  2. - Adding an SSH-keys does not disable password authentication.
  3. - Enabling a pass-phrase on your private key greatly enhances its security.
  4. - If you loose it your private-key or somebody gets a copy of it, anyone can use it if it does not have a pass phrase on it.
STEP 1: Create an SSH-Key on Linux or Apple (and now Windows 10)

On the client computer that you will be using to log in with, create an ssh-key pair.

If you assign your key a unique file name, you can make it single purpose for logging into a specific computer (like an sftp server). Otherwise with the default name (id_rsa), the key will be automatically used for all connections:

$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (~/.ssh/id_rsa):
Enter passphrase (empty for no passphrase): *********
Enter same passphrase again: *********
Your identification has been saved in id_rsa.
Your public key has been saved in id_rsa.pub.
The key fingerprint is:
f4:ba:40:56:c8:c6:fd:b3:5b:23:34:57:c4:b1:60:2e *****@*****.local
Your public key is stored in the file id_rdsa.pub.
Your private key is stored in id_rsa - keep it secured, don't loose it!
STEP 2: Copy the PUBLIC key to the remote SSH server you want to use it with.

For SSH servers, ssh-copy-id wil append the key to the remote-host’s .ssh/authorized_key.

$ ssh-copy-id -i ~/.ssh/id_rsa.pub user@remote-host
$ remote-host password: *******

Note: if your want to use an ssh-key with department SFTP servers, you will need to create an authorized_key file locally from your .pub file, and then manually SFTP the authorized_keys file into your .ssh directory manually, and set the file permissions with the chmod command - chmod 600 .ssh/authorized_keys.
If you are using the key for automated sftp file transfers, you may want to create a passphrase-less key so it does not require being hard-coded in automation scripts.

Public keys for SFTP servers
$ cat ~/.ssh/my_key_file.pub > authorized_keys
$ sftp user@remote-host
$ cd .ssh
$ put authorized_keys
$ chmod 600 authorized_keys
$ exit
STEP 3: Login to remote host using SSH-key
$ ssh -i ~/.ssh/my_key_file user@remote-host
Enter passphrase for key '/home/user/.ssh/my_key_file':

If you did not have a passphrase you will not be prompted, otherwise your local SSH client will be prompted for your passphrase before the SSH-key is validated.

Alternatively you should use sftp -i ~/.ssh/my_key_file user@remote-host, if you are connecting to an SFTP server.