When connecting a first time to a SSH server key point is always to verify the presented fingerprint of the remote SSH server.

SSH Key-Based Authentification

An SSH server can authenticate clients using a variety of different methods. The most basic of these is password authentication, which is easy to use, but not the most secure. SSH keys prove to be a reliable and secure alternative. To use this alternative you need a key pair with a public and a private key. You can generate a key pair with the command ssh-keygen:

user@host:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa): 
Created directory '/home/user/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
d0:f5:bc:f8:16:da:5a:e3:5e:e5:ef:18:00:55:69:c8 user@host
The key's randomart image is:
+---[RSA 2048]----+
|          ...o.. |
|       . . +E o  |
|      . . . o.   |
|       .   o .   |
|        S . +   .|
|           + o o |
|          . * o .|
|           = o o.|
|          ..o ..o|
+-----------------+
user@chinaski:~$ 

The public key must be uploaded to the remote server that you want to be able to log into with SSH. The key is added to a special file within the user account you will be logging into called ~/.ssh/authorized_keys. In our managed linux client environment with a network shared home directory you can do this with:

> user@host:~$ cat .ssh/id_rsa.pub >> .ssh/authorized_keys

To instead install the public key on a remote machine you can use the helper copy-ssh-id. Now you are able to perform a ssh keybased login from client to client.

If you do not protect the private key file with a password please be careful that nobody else can read this file (generally this is not a good idea, and might be useful only in particular cases where a separate key is generated for an automation task and on the reciever side the key usage is restricted to that particular task). If somebody can read it your identity has been stolen and can be used from this person on every target where you have placed your public key.

FAQ/SSHkeys (last edited 2020-09-09 11:35:33 by bonaccos)