Ssh public private keys

From Do you speak Drupalish? Featured Drupal wiki-like documentation
Jump to: navigation, search

Generate

first setup hostname
mkdir -p .ssh
chown user_owner:user_group .ssh
If you want something strong, you could try 
ssh-keygen -t rsa -b 4096 or
ssh-keygen -t rsa -b 2048 for private networking
via http://www.ece.uci.edu/~chou/ssh-key.html and https://help.ubuntu.com/community/SSH/OpenSSH/Keys
  • May choose different files Enter file in which to save the key ( pwd to grab the current location)
  • root/.ssh doest not exists
  • Delete private key from server, or, at least, move it from /.ssh directory. Who can reach it in root, can reach it anywhere

Permissions

Now set permissions on your private key: 

$ chmod 700 ~/.ssh ( ovh goes by default 755)
$ chmod 600 ~/.ssh/id_rsa

Debug_ssh#selinux

Transfer Client Key to Host

  • Obvious dummy: do not transfer private key
  • The key you need to transfer to the host is the public one. If you can log in to a computer over SSH using a password, you can transfer your RSA key by doing the following from your own computer:
ssh-copy-id <username>@<host>
  • Where <username> and <host> should be replaced by your username and the name of the computer you're transferring your key to.
    • (i) Due to this bug, you cannot specify a port other than the standard port 22. You can work around this by issuing the command like this: ssh-copy-id "<username>@<host> -p <port_nr>". If you are using the standard port 22, you can ignore this tip. Not working on centos
  • Another alternative is to copy the public key file to the server and concatenate it onto the authorized_keys file manually. It is wise to back that up first:
cp authorized_keys authorized_keys_Backup
cat id_rsa.pub >> authorized_keys 
chown otheruser:otheruser authorized_keys

Disable password authentication forcing use of keys

  • Once you've checked you can successfully login to the server using your public/private key pair, you can disable password authentication completely by adding the following setting to your /etc/ssh/sshd_config file:
# Disable password authentication forcing use of keys
PasswordAuthentication no
  • service sshd restart
    • required
  • take care to have rescue mode available
  • save you keys locally ( maybe convert to putty)

RSA

  • SSH can use either "RSA" (Rivest-Shamir-Adleman) or "DSA" ("Digital Signature Algorithm") keys. Both of these were considered state-of-the-art algorithms when SSH was invented, but DSA has come to be seen as less secure in recent years. RSA is the only recommended choice for new keys, so this guide uses "RSA key" and "SSH key" interchangeably. https://help.ubuntu.com/community/SSH/OpenSSH/Keys#Key-Based_SSH_Logins

Change RSA passphrase

$ ssh-keygen -f id_rsa -p
  • and the strength of your key has nothing to do with the strength of your passphrase.

Confusions

  • You need to generate differet keys if:
    • Login from local to server1
    • From server1 login to server2

putty

  • Don't generate first on putty, because you could use it on other linux system. Better, have a VirtualBox linux on Windows to generate keys

Converting the OpenSSH private key to Putty format

  • Click File->Load Private Key, load the file "id_rsa" in puttygen

puttygen

See also

  • Filezilla is aware of key auth

Managing Multiple SSH Keys

tips

  • truncate known_hosts --size=0 ( when previously password login)
  • service sshd restart

Debug ssh

  • try temporary with setenforce 0
Retrieved from "https://www.drupalish.com/w/index.php?title=Ssh_public_private_keys&oldid=969"

BackLinks