SSH is the secure replacement of the aging but faithful telnet client. It has matured and now a days a Linux distribution normally includes an SSH server along with many different authetication methods. One of them is SSH keypairs, commonly used for simple tasks and avoiding the need to type passwords.
Lets just go on to say that SSH keypairs can be secured by a pass-phrase, and this is a sound choice. Do not confuse a password and a pass-phrase.
The still confused might ask: what benefit is it to have a pass phrase over a password ? - the answer is many secure crypto schemes have been developed and they mostly use pass phrases as tools like SSH agent and SSH ask pass are designed to automate the process of providing the key in a secure manner.
So, how do we proceed ?
Open up a root shell, or sudo su - root to achieve root in a normal shell ( we will create a test user for this exercise ).|
littlemac: neil$ sudo su - root
Password:
littlemac:~ root#
Next, as the root user we want to create our user ( testssh ) and su - testssh, to become this user on the system. We do this so that when we create the ssh public and private key pair, the ownership and permissions will be correctly set as the user and owner.
[root@littlemac ~]# useradd sshtest
[root@littlemac ~]# su - sshtest
Now we create an SSH keypair, we are going to use the standard default arguments and follow the prompts.
[sshtest@littlemac ~]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/sshtest/.ssh/id_rsa):
Created directory '/home/sshtest/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/sshtest/.ssh/id_rsa.
Your public key has been saved in /home/sshtest/.ssh/id_rsa.pub.
The key fingerprint is:
1d:c5:00:4e:bd:9a:10:b6:75:39:eb:2e:d4:1f:24:ce sshtest@littlemac
[sshtest@littlemac ~]$
Notice that i am prompted for a pass-phrase, if I press return twice at this moment I get an empty passphrase, which is not very secure, but suprisingly common.
My advice is to use a passphrase to secure your key, even from your root / administrator user :)
So now the SSH public and private keys have been generated, lets take a look what has been created under the user directory ~/.ssh
[sshtest@littlemac ~]$ ls -la ~/.ssh/
total 16
drwx------ 2 sshtest sshtest 4096 Aug 9 23:38 .
drwx------ 5 sshtest sshtest 4096 Aug 9 23:38 ..
-rw------- 1 sshtest sshtest 1675 Aug 9 23:38 id_rsa
-rw-r--r-- 1 sshtest sshtest 399 Aug 9 23:38 id_rsa.pub
Notice the permission on the public and private key are different !
The private key ( in this case, the file id_rsa ) has only read and write permissions for the owner of the file.
The public key is world readable and writeable only by the owner, read permissions on the group and the rest of the world allows this file to be read by any user on the system, this is ok being as it is the public key, is not intended to be private.
The contents of the private key looks like this:
[sshtest@littlemac ~]$ cat ~/.ssh/id_rsa*
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEA408FqdKEaaKosGMaXRiMjFP33/RmqJ09zFlMia7PdWezYILS
rosQLeyLWBsMP5hM396F9Axme4AgQvR17qyQ38UydwrY2y+k92iK6JvUe2o3v5Q+
Xiog516dVhVi3lbkXkkvjVCxVm2r/dopTj+wd2KexfVoPYu/z1qkjNdFKI6BWUp5
w+mRpj5fpC6vir8Sg0wZ5LL8WjxbyU2uAl58k7CfSjUHVegQKmthecnCIzV311XW
P3yml2Dyv6nz4WOQ3JenJYGZmgMU1QfBxBonH5ovRGyVKgi8DP3VRZWsSG0RsiMk
eoSANfjFOuuy355NC0CSSiDu2q8E8tfpj/WeSwIBIwKCAQEA1lHSI8Z82KCtrZ9E
vi0WzXO90yhDiQlI5T5A2ZYxUXBnTF4XGZkPQT4c+0yzxu6u4bSM7WrHBrqiEz5D
Tr/2T1OHWkwOSwEJQQrMHSU2DfZvE7eohKtg2iYCD1X+IhdpmroIQ2lWvzQ0cwDl
HeRHS/3mKFxpmR1dE/ZgogzMLYvmRBupjHNMkx/ZhhKc7Dl4Qk6qTOMHSan0IRXh
qIF21LdtQAtMKb7S+ie9rkKMaIudN/KGVNm8zP6IFC1oVTJhFRTaEeMj7xPvwc0D
tOHLX9qKrx6wo43rk7lTxtFRDZ6IAZ/V3QCCsc65LY64KJyUW4vCR+gCJP4BnsNG
RPQp6wKBgQDyPkTNgclEu1NaWu+qurT611tUQOgLAiz00eFnGFtkRWcvA8Mo08Ee
3FQb5Q+fnSx/CKgveIu9Gdcu9Tz5mHtZX7W0dcgyO0qnHR5DmitwtwkAE6zQ/z25
Zur5me9ORvHpUYNmmBwafLx3ancx4nPDw5WckL1oirWXRQBVYmtr0QKBgQDwN6KE
EgMau3uqNytHG1EEuvKsK3VOdomxngd+XhTvmzlRvLN2dOgwklm6dw60ZLq26Kxt
o0BICPftpYKi5soOlRGmjTzcaOkaGOlD7fd53B3C4583XkvC+eGxXKlVnbP8+g19
+AMB5WENSs2eo4w5gbmjyjcm8m/oFPj0UQNbWwKBgBTDgj2AJzHG6eMsXa+MWKfJ
UPiX2WAHgDI94B7Hks4Uk9DUb9BMqic3dOxyuDJArArjfCFTebEfeNgjpiQFwW4P
hJpwft+78HS5Wl2Q3ybrHgdSJMF09ql92aBdpswx93pmEpPD5SbXfd5ZlTApWmE8
pmyBb1IahJfv+LbcjN1bAoGBAKS4b3CBYTbm9baMOu7uKO1M/izqmZTjkZ5du/7h
bXEZ+2s/kQDFMYBkWskBLqeVh1jaD9YmzP4yCRf8dtYamS6SGrtZiNGnBj3H8GkY
NKtVG7jWmRAGJVJ/djB6DbcNDbTIuMtoPJOV+WgzSyrzzd5KU2j/sMo/17UVsgad
86xbAoGAF+70+fwVLxpfB/al8aXCIf6dYx8+Q5Rvusus/vd8EpsyYhOSJcHfGaAf
MUVMx/2OOohkHgtvR5iu+6VI4OxppDoSoP2/Gk8IzoCUi+QtisCk3kDUiVt4iwet
ytn9Z89P1XdBqICekW3CS8pKICD1iaSo/S2o6wuLikcE2v72wrg=
-----END RSA PRIVATE KEY-----
And this is the public key looks like this:
ssh-rsa
AAAAB3NzaC1yc2EAAAABIwAAAQEA408FqdKEaaKosGMaXRiMjFP33/RmqJ09zFlMia7PdWezYILSrosQLeyLWBsMP5hM396F9Axme4AgQvR17qyQ38UydwrY2y+k92iK6JvUe2o3v5Q+Xiog516dVhVi3lbkXkkvjVCxVm2
/dopTj+wd2KexfVoPY
/z1qkjNdFKI6BWUp5w+mRpj5fpC6vir8Sg0wZ5LL8WjxbyU2uAl58k7CfSjUHVegQKmthecnCIzV311XWP3yml2Dyv6nz4WOQ3JenJYGZmgMU1QfBxBonH5ovRGyVKgi8DP3VRZWsSG0RsiMkeoSANfjFOuuy355NC0CSSiDu2q8E8tf
/WeSw== sshtest@littlemac
