Using SSH Keys for Authentication

by Ken Gribble

This document may be found at: 

http://goo.gl/LCSGn

Overview

SSH can use public key cryptography to authenticate users on remote computer systems.There are a lot of documents out now on how to use SSH keys for this purpose. Finding one that boils down the use of SSH keys is difficult, so this document hopes to provide a simple set of instructions on the use of SSH keys for authentication.

The document assumes that you have installed and are using openssh, but many other SSH clients use similar instructions.

Key Pair Generation

Generate an SSH public/private key pair on a UNIX, Linux, Mac OS X machine with the ssh-keygen command. The comment field is important because it helps identify your key to others.

The password you use to generate your key should be a very strong password.

In this example, change id_rsa_FirstnameLastname to use your First Name, and Last Name. If your name was John Doe, it would be id_rsa_JohnDoe, for example.

Here is how to generate the keys:

$ cd ~/.ssh && ssh-keygen -t rsa -b 4096 -C ’user@email.address.com’ -f id_rsa_FirstnameLastname

This creates two keys, id_rsa_FirstnameLastname and id_rsa_FirstnameLastname.pub. The last key, with the prefix .pub, is a public key. This is the key you might share with a remote client.

The other key is a private key, to be kept secret and safe. Do not give this key to anyone.

When asked for your SSH key, always give the public key, the one that ends in .pub, in our example: id_rsa_FirstnameLastname.pub.

If the machine your key resides on is compromised, or if you suspect your key has been stolen, you should remove your compromised keys from all machines it is used on and replace it with a new key with a different strong password.

One should change the passphrase on a key once a year or so. The command to do so is:

$ ssh-keygen -p -f id_rsa_FirstnameLastname

Modify your ~/.ssh/config file

Add these lines to the bottom of your ~/.ssh/config file, or create a ~/.ssh/config file with this in it:

Host hostname.cs.ucdavis.edu hostname

        User your_account_name

        Hostname hostname.yourdomain.edu

        IdentitiesOnly yes

        IdentityFile ~/.ssh/id_rsa_FirstnameLastname

Note: This document is suggesting you use a different key for each server you connect to. This way, if your keys are stolen, each key has to be broken before someone can use it. If you use a different key for each server, then your ~/.ssh/config file will need a “Host” configuration for each server you make a key for (as shown above).

Some environments require one key to identify a person on many machines, in that case you can use a wildcard in your ~/.ssh/config file, for the domains used in that environment. In this example, any machine in the cs.ucdavis.edu domain, with any username, will try the particular key named after “IdentityFile”:

Host *.cs.ucdavis.edu

        IdentitiesOnly yes

        IdentityFile ~/.ssh/id_rsa_FirstnameLastname

Placing Keys on Remote Server

Once the public SSH key is properly placed on a remote server, the user can log in using that key and the password for that key.

 

If a system has the ssh-copy-id command, one can use it to place the public key on a remote server. Use this command and supply the remote server’s password:

$ ssh-copy-id -i id_rsa_FirstnameLastname.pub user@remoteserver.domain.edu

If ssh-copy-id isn’t available, use scp to place your new key on the remote server:

$ cat it_rsa_FirstnameLastname.pub | ssh user@remoteserver.domain.edu ' sh -c "cat - >>~/.ssh/authorized_keys" '

Test that the key is in place by logging into the remote server with that particular user account. You should be asked for the password of the ssh key-pair used. If you are asked for a regular password, see Troubleshooting, below.

Managing SSH Keys with ssh-agent

The ssh-agent program, which comes with openssh, holds private keys used for public key authentication. It is started in an X-session or a login session, and all other windows or programs are started as clients to the ssh-agent program.

Another tool that should be considered is Keychain. Keychain is a frontend to ssh-agent and ssh-add. It is compatible with many operating systems, including AIX, *BSD, Cygwin, MacOS X, Linux, HP/UX, Tru64 UNIX, IRIX, Solaris and GNU Hurd.

Mac OS X comes with a Keychain Access that can be used to manage SSH keys.

Troubleshooting

Permissions

The best permissions for your .ssh directory and files are set so only the user can read and write:

$ chmod 700 ~/.ssh

$ chmod 600 ~/.ssh/authorized_keys

SSH debugging

Try using the ssh command line option “-v” to get verbose information about what is happening with ssh. For example:

$ ssh -v myacct@myhost.myschool.edu

Further Reading

https://help.ubuntu.com/community/QuickTips See Tip #3

This document may be found at: 

http://goo.gl/LCSGn