Categories
Geen categorie Servers

Using Key-based SSH Authentication

If you use Git or remote terminal session a lot, consider using key-based authentication. Key-based authentication is generally considered more secure than password-based authentication. 

In key-based authentication, two key-files are used. One is the public key and may be distributed to other parties that should be able to authenticate you and your information. The other is the private encryption key and should be kept secure.

A Unix-like machine and some command-line familiarity is assumed.

Generating an SSH key-pair

Open up the terminal. Check if you already have existing SSH keys.

% ls -l ~/.ssh/

No such file or directory? Create the folder.

% mkdir -p ~/.ssh

No id_rsa and id_rsa.pub files? Create them using ssh-keygen. Don’t overwrite them if they already exist.

ssh-keygen [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1] [-C comment]

We will use the rsa algorithm and a 4096 bit keysize which is pretty secure at this moment. Elliptic keys (ecdsa) is considered more efficient/secure but is not supported on all systems. Provide a passphrase as you wish, it will keep you more secure when your key gets compromised.

% ssh-keygen -t rsa -b 4096 -C "username@mypc"
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/username/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/username/.ssh/id_rsa.
Your public key has been saved in /Users/username/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:tlPZOaK+RZP9E6xLDbDreiSTOIhWQN8btT6Px/3nW5I username@mypc
The key's randomart image is:
+---[RSA 4096]----+
| ..     .        |
|  .. . . .       |
|   .. o . .      |
|    .  +   B o   |
|   o ...S.O * o  |
|  o . o.+X.= * o |
| .     .=+* + E .|
|       . =.. o oo|
|        ++. . .+o|
+----[SHA256]-----+

Finally, set all permissions right. Only the owner may read and write the keys and only the owner may list the contents of the .ssh directory.

% chmod 700 ~/.ssh
% chmod 600 ~/.ssh/*

Enabling key-based authentication on a remote server

Choose the easy or the manual way.

a. Easy, using ssh-copy-id

Just run

% ssh-copy-id remoteuser@remote.server.net

On Mac OS you might need to install the tool using brew:

% brew install ssh-copy-id

b. Manually

Print your public key:

% cat ~/.ssh/id_rsa.pub

Never copy the file that starts with —–BEGIN RSA PRIVATE KEY—–

Copy the contents to your clipboard.

Login to your remote server using SSH or another remote access method. Assuming you’re in the terminal now, check the .ssh folder:

% ls -l ~/.ssh

No such file or directory? Create the folder.

% mkdir -p ~/.ssh

Open or create the authorized_keys file:

% nano ~/.ssh/authorized_keys

Paste the public key (on a new line if not empty). Save the file.

Finally, set all permissions right. Only the owner may read and write the files and only the owner may list the contents of the .ssh directory.

% chmod 700 ~/.ssh
% chmod 600 ~/.ssh/*