78.1 SSH Public Keys
20180422 The recommended secure approach for using
ssh employs a public key. Use
ssh-keygen to create a key (a sequence of bits or
a string of random characters) that consists of a public and a private
part. The private and public keys are stored as
.ssh/id_rsa.pub respectively. It is best to provide a passphrase
to encrypt the file so that it can not be trivially compromised if the
file is shared or accessed by a system administrator. Store the
passphrase in your password manager (see Section
$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/kayon/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/kayon/.ssh/id_rsa. Your public key has been saved in /home/kayon/.ssh/id_rsa.pub. The key fingerprint is: cc:50:d4:85:86:56:b8:8a:77:57:61:51:63:89:46:09 kayon@inex
The public key needs to be copied to a remote host, perhaps using ssh-copy-id if password access is enabled:
$ ssh-copy-id email@example.com
This will add the public key to the authorised keys file in
/home/kayon/.ssh/authorized_keys on the remote host. Multiple keys
can appear in the one file. Id the file
writable by anyone other than the user then ssh
will exit without allowing a connection.
On a request for a connection, the remote host will use the public key to encrypt a message (a random number in fact) such that only with the private key can the message be decrypted. The message is sent back to the requesting (local) host and if it is properly decrypted and returned to the remote host for verification, the connection is allowed. A password is never used.
Some remote hosts disable password login through the configuration of
the sshd sever. This will be a problem if the
remote home directory is encrypted at rest. Typically the first login
will need to use the password to login and decrypt the home
directory. Any further logins will use the public key. This is what’s
happening if you see the following in the remote host’s
Oct 10 20:46:29 raz sshd: pam_ecryptfs: Passphrase file wrapped
The passphrase is optional but recommended. If supplied it will be used to unlock your private key whenever you need to use it. The command ssh-agent is useful for managing repeated requests for the passphrase.
There is also a choice of authentication algorithms to use. RSA is generally suggested today and is the default.
When you connect to the remote host using ssh your public key on that host will be used to send an encrypted message (a random number in fact) back to your local host. The local host decrypts the message using the private key stored only on the local host and decrypted using the passphrase (if any). The decrypted message is returned to the remote host for verification.
To reiterate, this method using public keys does not send passwords (or passphrases) over the network. A passphrase (if any) is used on the local host only to unlock the local private key.
Your donation will support ongoing availability and give you access to the PDF version of this book. Desktop Survival Guides include Data Science, GNU/Linux, and MLHub. Books available on Amazon include Data Mining with Rattle and Essentials of Data Science. Popular open source software includes rattle, wajig, and mlhub. Hosted by Togaware, a pioneer of free and open source software since 1984. Copyright © 1995-2021 Graham.Williams@togaware.com Creative Commons Attribution-ShareAlike 4.0