What SSH Keys Are And How To Use Them With A Linux Server – Part 1
Various research in recent years has highlighted the fact that people generally have too many passwords to remember. Also, longer and more complex passwords, which are more like random strings of text, are recommended but make remembering them even harder. Password analysis shows that the majority of passwords range from 7 to 10 characters in length, and the processing power of modern computers makes brute force attacking these passwords relatively easy. When you rely on a password to secure the management of your server, this can be quite a risk. SSH Keys are the solution to long, difficult passwords.
Beefing Up Security: SSH Keys
You could increase security by making your passwords longer and more complex. However, SSH has another solution up its sleeve: SSH keys. Keys come in pairs, one private and one public. The public key can be freely shared anywhere, whilst the private key needs to be kept safe and secure. For a properly produced algorithm, it is impossible for the private key to be reverse engineered from the public key. These two keys are essentially long strings of characters that are mathematically related in such a way that a message encrypted using the private key can only be decrypted using a public key. Similarly, a message encrypted using the public key can only be decrypted using the private key.
When working with keys with SSH, you keep the private key safe and secure on your local computer. The private key is uploaded to the server you want to connect to. Keys are used for identity authentication, and the same key pair can be used on multiple servers if you wish. Due to the length of the character strings in a private key, it is practically impossible for a computer to brute force attack a server using keys.
When connecting to a server, the server will check the authorized_keys file for the user that is connecting and will send a message to the connecting client that is encrypted using the authorized public keys. If the client has the matching private key then it will be able to successfully decrypt the message and respond to the server. This authenticates the identity of the connecting user.
Installing SSH Keys
If you are using Linux or Apple Mac OSX you can easily generate an SSH key and install it on a remote server with a few commands. First, we’ll generate the key. To do this on a desktop, open a terminal window and use the following command:
ssh-keygen -t rsa
You will be prompted to set a passphrase for your key. The passphrase is used to prevent the use of the private key by an unauthorized individual. This can be left blank and your connection to the server will be just as secure as if you do set one. If someone gets hold of your private key and you have a blank passphrase, then they can use your key to connect to servers where you use it without any problem. If you do have a passphrase set then they need to brute force that before they can use the private key. So, if you find your private keys have been compromised, the passphrase will buy you time to change the keys you use with your server before the stolen private keys can be used against you.
Once you have set your passphrase the key will be generated, normally as id_rsa for the private key and id_rsa.pub for the public key. The next step is to copy the public key to the target server. Linux users can do this easily with:
ssh-copy-id user@server.example.com
In this case swap “user” for the username you use on the server and “server.example.com” for the domain name or IP address of the server you are connecting to. The default public key will be copied over.
For Mac OSX users it’s not so simple, but you can achieve the same with this one-liner:
cat ~/.ssh/id_rsa.pub | ssh user@server.example.com “mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys”
As before, change “user” for your username and “server.example.com” for the domain name or IP address of your server. It will take the contents of your public key file and pipe it to the ssh command which will create a .ssh directory for your user, and then add the contents of your public key to the authorized_keys file.
We aren’t quite finished yet, though. Next time, we’ll look at how to increase the security at the server’s end by preventing passwords being used to log in. We’ll also look at how Windows users can use keys with PuTTY to connect to servers.