Secure Shell (SSH) is a cryptographic network protocol used for secure connection between a client and a server and supports various authentication mechanisms. SSH uses public-key cryptography to authenticate the remote computer and allow it to authenticate the user, if necessary.
There are several ways to use SSH; one is to use automatically generated public-private key pairs to simply encrypt a network connection, and then use password authentication to log on. Another is to use a manually generated public-private key pair to perform the authentication, allowing users or programs to log in without having to specify a password. In this scenario, anyone can produce a matching pair of different keys (public and private). The public key is placed on all computers that must allow access to the owner of the matching private key (the owner keeps the private key secret). While authentication is based on the private key, the key itself is never transferred through the network during authentication. SSH only verifies whether the same person offering the public key also owns the matching private key.
Set up public-key authentication using SSH on a Linux or macOS computer
To set up public-key authentication using SSH on a Linux or macOS computer:
Log into the computer you'll use to access the remote host, and then use command-line SSH to generate a key pair using the RSA algorithm. To generate RSA keys, on the command line, enter:
ssh-keygen -t rsa
- You will be first prompted to provide a filename to store the public/private key, hit Enter or Return to accept the default value
You will then be prompted to enter a passphrase. If you hit Enter or Return, you will create a passwordless key pair. You will find plenty of online resources that suggest creating a passwordless key pair. From a security prespective, this is NOT RECOMMENDED. Please consider adding a passphrase.
[apacheco@mira](1016): ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/apacheco/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/apacheco/.ssh/id_rsa. Your public key has been saved in /home/apacheco/.ssh/id_rsa.pub. The key fingerprint is: SHA256:<redacted> apacheco@mira The key's randomart image is: +---[RSA 2048]----+ | oo.o..o. | | . .*..*. | | E.o+*o= | | O.ooO.. | | o =oo S. | | .o o . | |. ..+ = . | |ooo. = o | |===o.o.. | +----[SHA256]-----+
If
ssh-copy-idcommand is available on your system, then you can copy your public key using the command[apacheco@mira](1018): ssh-copy-id -i ~/.ssh/id_rsa.pub alp514@sol.cc.lehigh.edu /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/apacheco/.ssh/id_rsa.pub" /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'alp514@sol.cc.lehigh.edu'" and check to make sure that only the key(s) you wanted were added.
Alternatively, copy the public key to your account on the remote system using SFTP or SCP.
SCPscp ${HOME}/.ssh/id_rsa.pub alp514@sol.cc.lehigh.edu:~/Login to the remote system and add the contents of your public key file (
~/id_rsa.pub) to a new line in your~/.ssh/authorized_keysfilecat ~/id_rsa.pub >> ~/.ssh/authorized_keys
If you login to the remote system, it will prompt you to enter the passphrase for the key pair rather than the password on the remote system. You have three chances to enter the correct passphrase before it defaults to the account password. To login to the remote system without entering your password or passphrase, use the credential manager,
ssh-agent[apacheco@mira](1020): ssh sol Enter passphrase for key '/home/apacheco/.ssh/id_rsa': Last login: Thu May 21 13:21:11 2020 from xyz.cc.lehigh.edu | | . Welcome to Sol. Compute intensive jobs are not to be `. * | .' run on the head node; appropriate tasks are editing, `. ._|_* .' . compilation, and SLURM job submission. Low impact, . * .' `. * non-polling daemons are also allowed. -------| |------- . *`.___.' * . . SLURM job submission is required. .' |* `. * . Files in /home and /share. .' * | . `. . Apps in /share/Apps. . | | User quotas are set to 150GB on /home. Use of this system is subject to Lehigh University security and information policies available at http://www.lehigh.edu/security.It is a good security practice to change the key pair passphrase regularly just as you regularly change your password.
[apacheco@mira](1028): ssh-keygen -p Enter file in which the key is (/home/apacheco/.ssh/id_rsa): Enter old passphrase: Enter new passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved with the new passphrase.
- If you have an existing key pair that does not contain a password, then you can add a password using the command
ssh-keygen -p -f <path to private key>
Using ssh-agent and ssh-add to manage passwords
ssh-agent is a key manager for SSH. It holds your keys and certificates in memory, unencrypted, and ready for use by ssh. The ssh-add command prompts the user for a private key password and adds it to the list maintained by ssh-agent. Once you add a password to ssh-agent, you will not be prompted for it when using SSH or SCP to connect to hosts with your public key.
At the prompt, enter
[apacheco@mira](1002): eval `ssh-agent` Agent pid 31571
Use backtics (`) rather than the single quote (')
Use
ssh-addto add credentials tossh-agent. It's good security to give a lifetime to your saved credential. By default, the lifetime is the length of time the terminal is open. When prompted, enter the passphrase for the private key.[apacheco@mira](1003): ssh-add -t 1h Enter passphrase for /home/apacheco/.ssh/id_rsa: Identity added: /home/apacheco/.ssh/id_rsa (/home/apacheco/.ssh/id_rsa) Lifetime set to 3600 seconds
For the next 1 hour (assuming previous command), you can login to Sol or any remote system on which the public key pair is saved without entering your password
[apacheco@mira](1004): ssh sol Last login: Thu May 21 13:42:08 2020 from xyz.cc.lehigh.edu | | . Welcome to Sol. Compute intensive jobs are not to be `. * | .' run on the head node; appropriate tasks are editing, `. ._|_* .' . compilation, and SLURM job submission. Low impact, . * .' `. * non-polling daemons are also allowed. -------| |------- . *`.___.' * . . SLURM job submission is required. .' |* `. * . Files in /home and /share. .' * | . `. . Apps in /share/Apps. . | | User quotas are set to 150GB on /home. Use of this system is subject to Lehigh University security and information policies available at http://www.lehigh.edu/security.To see a list of keys added to your agent, use the command
[apacheco@mira](1004): ssh-add -l 2048 SHA256:<redacted> /home/apacheco/.ssh/id_rsa (RSA)
To delete all saved keys, use the command
[apacheco@mira](1005): ssh-add -D All identities removed. [apacheco@mira](1006): ssh-add -l The agent has no identities.
If you have saved multiples keys and want to delete only one key, then use the command
ssh-add -d <private key>. For e.g.[apacheco@mira](1010): ssh-add -d /home/apacheco/.ssh/id_rsa Identity removed: /home/apacheco/.ssh/id_rsa (apacheco@mira) [apacheco@mira](1011): ssh-add -l The agent has no identities.
Best Security Practices
- Always protect your key pair with a passphrase.
- Use a strong passphrase just as you would for your password.
- Do not use your password as your passphrase.
- Do not write your password/passphrase and store at a place that anyone can access for e.g. post-it note on your monitor.
- Verify only your account has access to ssh keys by running
chmod 700 ~/.ssh. - Never share your private key and/or your passphrase/password.
- Always store your credentials in
ssh-agentwith a definite lifetime. - Change your passphrase as regularly as you change your password.
- Do not use reuse your password and passphrase.
- Limit the number of systems that you log in from.
Useful Links
- https://www.ssh.com/ssh/keygen/
- https://www.ssh.com/ssh/agent
- https://www.ssh.com/ssh/add
- https://smallstep.com/blog/ssh-agent-explained/