78.1 SSH Public Keys

20180422 The recommended secure approach for using ssh employs a public key. Use ssh-keygen to create a key (a sequence of bits or a string of random characters) that consists of a public and a private part. The private and public keys are stored as .ssh/id_rsa and .ssh/id_rsa.pub respectively. It is best to provide a passphrase to encrypt the file so that it can not be trivially compromised if the file is shared or accessed by a system administrator. Store the passphrase in your password manager (see Section 76.1).

$ ssh-keygen

Generating public/private rsa key pair. 
Enter file in which to save the key (/home/kayon/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/kayon/.ssh/id_rsa. 
Your public key has been saved in /home/kayon/.ssh/id_rsa.pub. 
The key fingerprint is:
cc:50:d4:85:86:56:b8:8a:77:57:61:51:63:89:46:09 kayon@inex

The public key needs to be copied to a remote host, perhaps using ssh-copy-id if password access is enabled:

$ ssh-copy-id kayon@alpine.togaware.com

This will add the public key to the authorised keys file in /home/kayon/.ssh/authorized_keys on the remote host. Multiple keys can appear in the one file. Id the file ~/.ssh/authorized_keys is writable by anyone other than the user then ssh will exit without allowing a connection.

On a request for a connection, the remote host will use the public key to encrypt a message (a random number in fact) such that only with the private key can the message be decrypted. The message is sent back to the requesting (local) host and if it is properly decrypted and returned to the remote host for verification, the connection is allowed. A password is never used.

Some remote hosts disable password login through the configuration of the sshd sever.

The passphrase is optional but if supplied it will be used to unlock your private key whenever you need to use it. The command ssh-agent will be useful to manage repeated requests for the passphrase.

There is also a choice of authentication algorithms to use. RSA is generally suggested today and is the default.

When you connect to the remote host using ssh your public key on that host will be used to send an encrypted message (a random number in fact) back to your local host. The local host decrypts the message using the private key stored only on the local host and decrypted using the passphrase (if any). The decrypted message is returned to the remote host for verification.

To reiterate, this method using public keys does not send passwords (or passphrases) over the network. A passphrase (if any) is used on the local host only to unlock the local private key.



Your donation will support ongoing availability and give you access to the PDF version of the book. Desktop Survival Guides include Data Science, GNU/Linux, and MLHub. Books available on Amazon include Data Mining with Rattle and Essentials of Data Science. Popular open source software includes rattle, wajig, and mlhub. Hosted by Togaware, a pioneer of free and open source software since 1984. Copyright © 1995-2021 Graham.Williams@togaware.com Creative Commons Attribution-ShareAlike 4.0.