Understanding SSH Keys Thumbnail

Understanding SSH Keys

What Are SSH Keys?

As opposed to the usual username and password authentication method, you can establish an SSH connection using a method that is known as SSH key-based authentication.

SSH keys are considered an extremely secure way of logging into your device/server, and is often the recommended way to establish all SSH connections as opposed to username and password authentication.

SSH keys come in pairs (private & public). The private key remains a secret to the client (i.e. the computer you use to initiate an SSH connection). This private key is considered the most vital, as any access to a private key can compromise your device and allow attackers to log in over SSH.

As opposed to your private key, your public key can be shared freely as only your private key can decrypt messages sent over SSH using said public key. This public key is uploaded to the device you wish to access via SSH and is stored in a specific file within the home directory of the user you wish to log in as.

How a Secure Connection is Formed

When we attempt to log into our device over SSH, using key-based authentication, the remote device will respond with a message which the SSH client (our computer/laptop we are using to initiate an SSH connection) must encrypt using its locally stored private key.

The client then responds with this encrypted message, which the remote device will then attempt to decrypt using one of the public keys originally uploaded in the setup procedure.

If the remote device successfully decrypts the message (I.e., if the original message matches the decrypted message), then an SSH connection is authenticated.

Understanding this connection method really shows how vital it is to safely secure your private SSH key.

Creating a Private & Public Key

It is worth noting at this point, that the command to generate a private & public key-pair exists on Linux/Mac computers by default (or at least after installing the OpenSSH libraries). Windows users will need to download a program such as Git and expose it’s commands on the system path.

The command to generate a key-pair is

> ssh-keygen

Upon entering this in the command prompt/terminal (on the local client), you will be asked to enter a location to save the keys. By default, this command creates two files, id_rsa and id_rsa.pub in the .ssh folder found in the home directory of the currently logged in user. For example:

~/.ssh/id_rsa 

~/.ssh/id_rsa.pub

You can simply click enter at this point, to save in the default location (recommended).

If you wish to encrypt the keys on disk (recommended) you can do so now. If you do not wish to enter a passphrase, simply leave it blank and hit enter.

Uploading Your Public Key to Remote Device

Now that we have our private and public key-pair stored on our client, we are ready to upload our public key to the special file which stores all accepted public keys on the remote device. It is important to note, that the location is stored in the .ssh folder in the home directory of the user.

For example, if we want to log in as the user “bob” but we upload our public key to the user “brian” then we won’t be able to initiate an ssh connection via bob@<remoteIP>, but we would be able to via brian@<remoteIP> .

So, first things first is to get the contents of your public key (on the local client). This can be done by cat’ing your public key to the terminal via:

> cat ~/.ssh/id_rsa.pub

You will see a massively long string (key based authentication is very secure!). You simply need to copy all of this output.

Now on your remote device, log into the account of the user you wish to log in via SSH as and append your public key by entering the following in the command prompt:

> echo your_public_key >> ~/.ssh/authorized_keys

Where “your_public_key” is the contents of the file you originally copied.

NOTE: You may have to ensure your SSH directory exists if you have not set this up before. You can do this simply by entering the following (safe to do, if the directory already exists)

> mkdir –p ~/.ssh

Log in via Key-based SSH

With your public key uploaded to the remote device, we can now go back to our local client. We can attempt to initiate an ssh key-based connection by entering the following

> ssh username@<remoteIP>

If you entered a passphrase for your private key file, you will be prompted to enter that passphrase now. Otherwise your connection will be established.

If you wish to disable password authentication (I.e. a less secure authentication method), you can do so by entering the following on the remote device

> sudo nano /etc/ssh/sshd_config

Ensure the following line exists and not commented out (via a # symbol)

PasswordAuthentication no

Finally press ctrl + X to exit the file and “Y” to confirm changes.

You will then need to restart the machine.

Published by

Nick

Nick Cullen is a software developer living in South Wales, UK. He is primarily focused around coding in C++ and C# and loves tinkering with new programming languages and technologies. A key technological interest of his is Raspberry Pi development, which he has helped pioneer a unique product commercially using a Pi and programming the software in C++.

Leave a Reply

Your email address will not be published. Required fields are marked *