SSH Keys
Using SSH Keys to Increase Security
You use ssh (Secure Shell) to log in to our server. Your username and password are used to authenticate your login. You also use scp to copy files up to (or down from) the server using a similar authentication method.
There are some problems with this system, including:
- It's a pain to authenticate to the server every time, especially if you're using a good (ie. long and complicated) password.
- You can't automate anything with this system because every time something happens, you have to be present to type in your password.
Let's see how we can set things up so that your computer and the server can more easily and more securely communicate.
By the time we get done you'll be able to automatically log in to the server and create automated backups of your work!
Orientation
You're going to be creating a pair of keys, one that will be public and one that will be private. In this process, your own computer will be called the client or local machine, as opposed to the server.
The process that we'll be developing is hardware based, so if you want to log on to the server using a different computer, you'll have to use the old password-based system.
These instructions apply to Linux and Apple machines. They *may* work on a Windows 10 machine depending on your software installation.
Generating an SSH key pair
- Open up a Terminal on your local machine.
- Type
ssh-keygen -b 4096and press Enter. You'll see the following output:$ ssh-keygen -b 4096 Generating public/private rsa key pair. Enter file in which to save the key (/Users/rwhite/.ssh/id_rsa):Because this is probably the first SSH keypair you have generated, just hit Enter to accept this default location and keyname. If you already have ssh keys there, give these a different name, such asid2_rsa.) - You'll now be asked to enter a passphrase for the key:
Enter passphrase (empty for no passphrase):
Because we want to be able to automate a process, just hit Enter again to indicate an empty passphrase.Enter same passphrase again:
Then hit Enter again.Your identification has been saved in /Users/rwhite/.ssh/id_rsa. Your public key has been saved in /Users/rwhite/.ssh/id_rsa.pub. The key fingerprint is: SHA256:0783ZuBK8cYLDUkn1YWJ0aC+SB/188cQAFOyuidFAMY rwhite@Ligne2.local The key's randomart image is: +---[RSA 4096]----+ | .o.. +o** +.| | .E . *..= | | * o . | | * = . . | | S O + | | . * X. = | | + *.*. +| | + o.o= .| | ..o+ . | +----[SHA256]-----+You now have a pair of SSH keys stored on your computer! Let's go take a look at them. - In the Terminal:
Copying your Public Key to the Server
The pair of keys that have just been created in that .ssh directory, id_rsa and id_rsa.pub, are what will be used by your client computer and the server to authenticate you. Your private key--id_rsa--will remain on your computer where it won't be shared with anyone. Your public key, id_rsa.pub, we're going to copy over to the server. This key, as its .pub extension suggests, is meant to be distributed to the wider world, and we need to copy it onto the server into a specific file called authorized_keys.
- In the Terminal, move to the directory where your keys are located.
$ cd ~/.ssh/
- Use
catto display your public key in the Terminal:$ cat id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDTZhC+vojOH9FkwFh6A9Vl0aJ4yzfmM+QD8FlSKg . . . F4QdVHdAoQhPxN2H4tdsy2JSn2Xxln6ikGCGio2mPPeurnrop40UrZg4Bv1yskxzKl9YrEzpLXdAxirCgNSSAIxwW8/HPDrZeJ9myMezfan746XlOZCAQR6MwvR67MgFw== rwhite@Ligne2.local - Select and copy the contents of this public key into your clipboard using Command-c or control-c or control-shift-c, depending on your computer.
- Log on to the server using your username and password.
$ ssh username@crashwhite.polytechnic.org Password:
- Now that we're logged onto the server, we need to make sure that we have an
.sshdirectory there.$ ls -a ~/
If a directory
.sshalready exists, that's fine. If not, we can make one:$ mkdir .ssh
- We need to place the public key, which has been copied onto our clipboard, in a file called
authorized_keys, but we don't want to replace any keys that might already be there. Use this command, pasting your clipboard contents where it says "PastePublicKeyHere".$ echo PastePublicKeyHere >> ~/.ssh/authorized_keys
- Finally let's make sure that the permissions on this directory are such that only the user has access. The following command removes
groupandotheraccess.$ chmod 700 ~/.ssh/ $ chmod 600 ~/.ssh/authorized_keys
Test the System
To confirm that the system works as it should:
- Log out of the server.
$ exit Connection to crashwhite.polytechnic.org closed.
- Try logging in using
ssh:$ ssh username@crashwhite.polytechnic.org
The terminal should log you in without asking you to enter your password, instead using your private and public keys to authenticate you.
What Can I Do Now?
There are a number of practical applications, now that you have SSH key-pair authentication set up.
- Streamlined login to the server
Obviously it's easier to log on to the server now usingssh. - Streamlined uploading of files
Thescpcommand that is used to upload files uses this same security protocol. You no longer need to type in your password when you used thescpcommand.$ scp filename username@crashwhite.polytechnic.org:~/forInstructor/ filename 100% 6835 112.1KB/s 00:00 $ - Configure backups on to the server
rsync -avz -e 'ssh -i ~/.ssh/id_rsa' ~/directoryToBeBackedUp username@crashwhite.polytechnic.org:~/backups/
Automating scp
For the simplest experience uploading files to a server, do this:
- In the terminal, navigate to your home directory
~create a directory calledbin, and change into that directory. This is a good place to store homemade scripts such as the one we're about to write.$ mkdir ~/bin $ cd ~/bin
- Write a short script, perhaps using
nano, that will upload a file to a server usingscp:$ nano scpp.sh #!/bin/zsh # takes an argument ($1) and securely copies it to the instructor folder # in your home directory on the crashwhite.polytechnic server scp -P 1030 $1 rwhite@crashwhite.polytechnic.org:~/forInstructor/
Save and close the file. - In the terminal, make the
~/binand the files inside it executable:$ chmod 755 ~/bin $ chmod 755 ~/bin/*
This makes thebindirectory accessible and the script executable. - In your
~/.zshrcor~/.bashrcfile, include the following line to create an alias for your shell:alias scpp=~/bin/scpp.sh
- Close the current terminal and open up a new terminal—this allows the
.zshrcfile to create the alias. Run the script by typing$ scpp filename.txt
...where filename.txt refers to some file in the local directory. This command will- Execute the
scppscript withfilename.txtas an argument - The
scppscript will take the file specified and upload it to the server using the certificate keys we generated.
- Execute the
One line to upload files to the server!
Fine Print
- The use of key-pairs for authentication has to be allowed for on the server. Editing the
/etc/ssh/sshd_configfile may be necessary, by uncommenting the line that allowsAuthorizedKeysFile - The user's
.sshdirectory and its contents need to be owned by the user. If an admin sets these directories up while root, the ownership and group of that directory and its contents need to be set to the user.$ chown -R username:username ~/.ssh/
- If you used a custom key name above, you need to add the new key to your SSH client.
- Start the ssh-agent
$ eval `ssh-agent`
- Run
ssh-add:$ ssh-add ~/.ssh/customkey_rsa
- Confirm key has been added:
$ ssh-add -l
- Compare fingerprint printed with that from public file:
$ ssh-keygen -l -f ~/.ssh/customkey_rsa.pub
You should be able to log on to server without password now.
Reference
https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys--2-