Posted in Linux Basics

SSH Keys

One thing that I want to post on is how unsecure our communication can be. Yes, SSH tends to be somewhat secure but it needs help. FTP is horribly unsecure which is why SFTP is the preferred method for file transfer. FTP is open communications while SFTP uses the SSH protocol to send files from one location to another. In order to make sure that your connections are secure while either working on a Linux servers or workstation or file sharing, etc., you need to make sure that your connection is secure. This can be done a number of ways but the preferred method is to use RSA keys which are easy to create.

So, what are RSA keys you ask? Great question..Let’s see what the experts at Name Cheap have to say on this subject.

“An RSA key is a private key based on RSA algorithm. The private Key is used for authentication and a symmetric key exchange during establishment of an SSL/TLS session. It is a part of the public key infrastructure that is generally used in case of SSL certificates.” Beasically RSA keys use a public and private key pair to authenticate a set of communications between two devices. The private key should never be shared with anyone and the public key needs to be added to what is called an authorized_key file on each device.

You can login to a remote Linux server without entering a password in 3 simple steps using ssh-keygen and ssh-copy-id shown below. The ssh-keygen command creates the public and private keys where the ssh-copy-id copies the local-host’s public key to the remote-host’s authorized_keys file. ssh-copy-id also assigns proper permission to the remote-host’s home, ~/.ssh, and ~/.ssh/authorized_keys. You can also manually copy the public keys from device to another if you are more comfortable with that method.

Below, I will show how to use ssh-keygen command as well as the ssh-copy-id.

First things needed in a secure communications path is to generate a public and private key pair using the ssh-keygen command string on the local device. And don’t worry, for this demo, I will generate a new pair and I have already regenerated them.

Make sure that you are logged into the the server you need to create the keys on
Enter the following to create an RSA key pair. You can either use the –t switch with rsa or just type ssh-keygen by itself.

ssh-keygen –t rsa

In the following example, I have generated a new rsa key

[kf4bzt@tim-pc ~]$ ssh-keygen -t rsa

Generating public/private rsa key pair.
Enter file in which to save the key (/home/kf4bzt/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/kf4bzt/.ssh/id_rsa.
Your public key has been saved in /home/kf4bzt/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:EVm/DIwjQJngLKZmkdm6p3SO5aPge300pNBcV7+QkV4 kf4bzt@tim-pc
The key’s randomart image is:
+—[RSA 2048]—-+
| .ooo .ooo. |
| o+ o. ..= o+E |
|.=o.o o = +oo. |
|o.o. o o o +… |
|.+ . o S o. |
|o . . o |
|.o +. . . |
|+ Oo . . |
| *+o. . |
+—-[SHA256]—–+

Now that we have the RSA key pair generated and ready to use, let’s make sure that the public key is on the remote device.

—===—===—===—

[kf4bzt@tim-pc ~]$ ssh-copy-id -i ~/.ssh/id_rsa.pub -p 2223 192.168.1.87

/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: “/home/kf4bzt/.ssh/id_rsa.pub”
The authenticity of host ‘[192.168.1.87]:2223 ([192.168.1.87]:2223)’ can’t be established.
ECDSA key fingerprint is SHA256:8n59vxFvO+/FPqqcsEEc3oRrXDvzvftjSmRQJaTTD3Q.
Are you sure you want to continue connecting (yes/no)? yes
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed — if you are prompted now it is to install the new keys
kf4bzt@192.168.1.87’s password:

Number of key(s) added: 1

Note: ssh-copy-id appends the keys to the remote-host’s .ssh/authorized_key.

—===—===—===—

Now try logging into the machine, with: “ssh -p ‘2223’ ‘192.168.1.87’”
and check to make sure that only the key(s) you wanted were added.

[kf4bzt@tim-pc ~]$ ssh -p 2223 192.168.1.87

Welcome to Ubuntu Zesty Zapus (development branch) (GNU/Linux 4.10.0-11-generic i686)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

Ubuntu 12.04 LTS end-of-life is April 25, 2017 — Upgrade your Precise systems!
$ sudo do-release-upgrade -m server

0 packages can be updated.
0 updates are security updates.

Last login: Fri Mar 17 13:29:22 2017 from 209.33.142.3

—===—===—===—

Keep in mind the first time you log into the device using RSA keys, you will be prompted for your user password. This is because the SSH connection is pulling the fingerprint to make sure that it and the key pair match. After that, you should have gotten logged in via SSH with no password prompt. If you are still getting password prompts, check the permissions of the authorized_keys file to make sure that they are set to 0600 and nothing else. This file needs to be locked down.

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *