SSH keys are a pair of encryption-protected keys (private and public) that are used for authorization when connecting to a server using the SSH protocol. We recommend using SSH keys instead of passwords to increase connection reliability and security. The ssh-keygen program is used to generate a key pair, it is included in the ssh package, and if you have SSH already configured, you do not need to install anything additionally. Standard SSH keys are stored in the ~/ directory. ssh. If you don’t have a ~/. ssh, generate it with the correct permissions using the ssh-keygen command. Accessing SSH using a public key (without a password) is very convenient and secure. The process of setting up public key authentication is very simple: The team creates a public key – private key pair. The public key is copied to the computer with the SSH server, that is, to the computer to which the connection will be made and on which the commands will be executed.
And then the connection is made in the usual way, but entering a password is not required. The public key that is copied to the remote server is not secret. The same key can be used on different servers. The main thing is to keep the private key secret. You can generate keys and copy them to a remote host with literally three commands. To speed up the login process and optimize the behavior of the SSH client, you can create and configure an SSH configuration file ~/.ssh/config. The ssh-keygen program has many functions and capabilities, let’s start by considering the key generation procedure, which is performed elementary. If you have time to log in to the remote system, go ahead.
We are asked for a file name, there is no need to enter anything, the standard name will be used. A password is also requested. This password allows you to set additional protection – when connecting using keys, the password of the user will not be requested, but the password of the key itself will be requested. No need to set a password.
~/.ssh/id_rsa
~/.ssh/id_rsa.pub
The first file must be kept secret. The second file must be copied to the remote computer where the SSH server is running. Now on the remote machine we need to create a .ssh directory.
Run the view command:
Example:
Now we need to copy the contents of the id_rsa.pub file to the remote machine in the ~/.ssh/authorized_keys file. It’s very simple (you need to change the data to your own):
Example:
Now we connect using the SSH client, but we will no longer be asked for the password.
dsa
ecdsa
ed25519
rsa
To select any of these types, use the -t option. In the previous example, we chose rsa – it is not necessary to explicitly specify the RSA type, since it is implied by default (that is, key generation can be started without the -t option).
~/.ssh/id_dsa
~/.ssh/id_ecdsa
~/.ssh/id_ed25519
~/.ssh/id_rsa
These files must be kept private and only accessible to the owner.
~/.ssh/id_dsa.pub
~/.ssh/id_ecdsa.pub
~/.ssh/id_ed25519.pub
~/.ssh/id_rsa.pub
These files are not secret, their contents should be copied to the file ~/.ssh/authorized_keys on the computer running the SSH server.
We used ssh-keygen to generate the keys. In addition, it is designed to manage and convert authentication keys for ssh. Only some of the functions of this program are discussed below, the full list of options can be found in the team:
For this, the option is used: -b It determines the number of bits in the generated key. For RSA keys, the minimum size is 1024 bits and the default is 2048 bits. As a general rule, 2048 bits is considered sufficient. DSA keys must be 1024 bits long as specified in FIPS 186-2. For ECDSA keys, the -b flag specifies the length of the key, choosing one of three elliptic curve sizes: 256, 384, or 521 bits. Attempting to use bit lengths other than these three values for ECDSA keys will fail. Ed25519 keys have a fixed length and the -b flag will be ignored.
1. -C comment – Enter a comment after this option.
2. -c – This option includes the process of commenting changes in the private and public key files. The program will ask for a file containing private keys, a password (if installed), and then prompt you to enter a new comment.
You can see the comment using the -l option. This option shows the fingerprint of the specified public key file. For RSA and DSA keys, ssh-keygen tries to find a matching public key file and prints it.
When combined with -v, an ASCII visual representation will be shown after the printout:
The key file can be specified with the -f option:
The key file must be specified with an option -f:
The -y option will read an OpenSSH format file with a private key and print the OpenSSH public key to stdout.
Also, using the -f option, you need to specify the path to the private key from which the corresponding public key will be extracted:
For example, the private key is placed in the id_rsa file, then the command to extract the public key from it is as follows:
You may encounter an error:
It means that the private key is readable by anyone and the ssh-keygen program refuses to work with it for this reason. To fix this error, simply install the file with the private key of access right 600:
The same key pair can be used to access multiple SSH servers. Therefore, each of them (on the client and on the servers) can have one key. However, if you have multiple keys or if you want to use a different, non-standard key file location, the following shows how to specify the location on the command line and in the SSH client configuration files. The SSH configuration file uses the IdentityFile directive to specify the path to the private keys.
Its default value is:
As you can see, you can use a tilde to indicate the user’s home folder. It is possible to have multiple IdentityFile directives in configuration files; all these IDs will be tested in turn. Numerous IdentityFile directives will add candidates to the queue for attempts (this behavior differs from other configuration directives). It is also possible to configure the use of specific identity files for specific hosts:
The -i option is used for the command line, followed by the path to the private key (identity file). The default values are the same as in the directive discussed above. The i option can be used multiple times.
Public keys of all types are placed in one file, default values:
~/.ssh/authorized_keys
~/.ssh/authorized_keys2
Each line of the file contains one key (empty lines and lines starting with ‘#’ are ignored as comments). Public keys consist of the following fields separated by spaces: options, key type, key in base64 encoding, comment. The options field is optional. The key type is “ecdsa-sha2-nistp256”, “ecdsa-sha2-nistp384”, “ecdsa-sha2-nistp521”, “ssh-ed25519”, “ssh-dss” or “ssh-rsa”. The comment field is not used for anything (but may be convenient for the user to identify the key).
To convert the .ppk format to OpenSSH, you can use the puttygen utility, which is included in the Putty package. So we need to install PuTTY Linux: with your package manager, install PuTTY (or the minimal PuTTY-tools package):
OS X: Install Homebrew, then run
Place your keys in some directory, for example your home folder. Now we convert the PPK keys into an SSH pair.
Move these keys to ~/.ssh and ensure that the private key has limited write access:
Open PuTTYgen, click the Load button and select the .ppk file with the keys. You’ll immediately see your SSH public key, which you can copy and paste into a file. Now go to “Conversions” → “Export OpenSSH key” in the menu and save the private key. Copy your private key to ~/.ssh/id_dsa (or id_rsa).