Ssh Configure Public/Private Key Authentication: Difference between revisions
| (7 intermediate revisions by the same user not shown) | |||
| Line 9: | Line 9: | ||
This is the procedure to generate a [[Public_Key_Security#Key_Pair|public/private key pair]]. Run the following command on the machine you will be logging '''from''' and as the Unix user you will be using to connect: | This is the procedure to generate a [[Public_Key_Security#Key_Pair|public/private key pair]]. Run the following command on the machine you will be logging '''from''' and as the Unix user you will be using to connect: | ||
ssh-keygen -q -b 2048 -f ~/.ssh/id_rsa -t rsa | ssh-keygen -q -b 2048 -P "" -f ~/.ssh/id_rsa -t rsa | ||
The above command uses an empty (no) passphrase. | |||
The key is written in [[Public_Key_Security#PEM|PEM]] format. | The key is written in [[Public_Key_Security#PEM|PEM]] format. | ||
| Line 17: | Line 17: | ||
If you want password-less log in, use an empty string as passphrase. | If you want password-less log in, use an empty string as passphrase. | ||
The keys can also be [[Openssl_Operations#Generate_a_Public.2FPrivate_Key_Pair|generated with | The keys can also be [[Openssl_Operations#Generate_a_Public.2FPrivate_Key_Pair|generated with OpenSSL]], the results are equivalent. | ||
For more general considerations on private keys, see: {{Internal|Public_Key_Security#Private_Key|Private Keys}} | |||
==Permissions== | ==Permissions== | ||
| Line 58: | Line 60: | ||
... | ... | ||
</pre> | </pre> | ||
=Auxiliary Procedures= | |||
==Convert a OpenSSL PEM Public Key for Use with OpenSSH== | |||
This command can be used to convert OpenSSL public keys generated with [[Openssl_Operations#Extract_the_Matching_Public_RSA_Key_from_a_Private_Key|openssl commands]] to a format compatible with OpenSSH. | |||
ssh-keygen -i -m PKCS8 -f ./id_rsa_openssl.pem > id_rsa.pub | |||
Also see: {{Internal|Openssl_Operations#Extract_the_Matching_Public_RSA_Key_from_a_Private_Key|Extract the Matching Public RSA Key from a Private Key}} | |||
Latest revision as of 22:12, 17 November 2021
Internal
Procedure
Create the OpenSSH Private/Public Key Pair
This is the procedure to generate a public/private key pair. Run the following command on the machine you will be logging from and as the Unix user you will be using to connect:
ssh-keygen -q -b 2048 -P "" -f ~/.ssh/id_rsa -t rsa
The above command uses an empty (no) passphrase.
The key is written in PEM format.
If you want password-less log in, use an empty string as passphrase.
The keys can also be generated with OpenSSL, the results are equivalent.
For more general considerations on private keys, see:
Permissions
Make sure ~/.ssh/id_rsa has the following permissions -rw-------.
Install the Public Key on All Machines to Log in Into
On all machines you will be logging in into, place the content of the previously generated id_rsa.pub into ~/.ssh/authorized_keys and make sure ~/.ssh/authorized_keys has the following permissions -rw-------.
Alternatively, the distribution can be done with ssh-copy-id:
File Permission Concerns
Make sure ~/.ssh/id_rsa is -rw-------.
Nake sure ~/.ssh/authorized_keys is -rw-------.
If the home directory in which .ssh resides is world writable, pub/pvt key authentication doesn't work and ssh falls back to password.
Configuring the Server to Allow Public Key Authentication
/etc/ssh/sshd_config must contain the following:
... RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys ...
Note that I've seen server configured to use /etc/keys/%u/authorized_keys. If this is the case, place the authorized_keys file there, make it owned by the respective user and give it the appropriate permissions.
Optional: Some servers list the users allowed to authenticate with public key under the "AllowUsers" directive:
... AllowUsers admin jmp em ...
Auxiliary Procedures
Convert a OpenSSL PEM Public Key for Use with OpenSSH
This command can be used to convert OpenSSL public keys generated with openssl commands to a format compatible with OpenSSH.
ssh-keygen -i -m PKCS8 -f ./id_rsa_openssl.pem > id_rsa.pub
Also see: