Skip Navigation Links
By Howard Draper, Computer Support Specialist, Information Security.
If you're reading this article, you probably use SSH (Secure Shell). If you don't know what SSH is, or you want to know more about it, go to SSH or type "man ssh" on a Linux/Unix environment. Typical implementations of SSH use a username and password to authenticate users. This method has considerable drawbacks:
If you run SSH on the standard port 22/tcp, and it's listening on our public UNT network, and password authentication is enabled, then malicious users outside the UNT domain are attempting to log in. By trying every possible character combination (and especially common ones), they will succeed eventually.
So what are SSH keys?
SSH keys are a pair of cryptographic keys used to authenticate users instead of (or in addition to) a username/password. One key is private and goes on your source device in the ~/.ssh directory, and the public key goes in the destination device's ~/.ssh/authorized_hosts file.
How long does it take to generate SSH keys?
Seconds-- although RSA takes slightly longer than DSA. See this for an actual RSA vs DSA benchmark.
So do I use RSA or DSA?
RSA has undergone more public cryptanalytic scrutiny, and is tried and true. DSA is based off a different encryption algorithms (privately developed by the NSA), and can sign faster, but verifies slower. Keep in mind this means 300 milliseconds of difference. RSA can be used to encrypt or sign. DSA is only intended for signing.
What are the commands to create and implement SSH keys?
For this instruction set, I'll use RSA for simplicity. To use DSA instead, simply specify "-t DSA" when you use ssh-keygen.
First, type the ssh-keygen command to generate your ssh-key pair.
# ssh-keygen -t rsa Generating public/private rsa key pair.
At this prompt, hit enter unless you want to specify a custom name.
Enter file in which to save the key (/Users/exampleuser/.ssh/id_rsa):
Now you'll be twice asked to create a passphrase. If you don't use one, you can SSH to another machine without having to type anything. However, if anyone else ever has your private key, or a copy of it, they'll have all the same connectivity privileges that you do. For this reason, we recommend that you use a passphrase, and you can use ssh-agent if you wish to only type your password once per day. If you are a system administrator and want to use blank passphrases for easy automated connections, you can bind certain commands directly to the SSH keys to limit privileges of those auto connecting accounts.
Enter passphrase (empty for no passphrase):
The following command will securely transmit the key to the destination host.
# scp id_rsa.pub email@example.com:/home/username/.ssh
Now SSH into that remote machine, and move into the .ssh directory.
If you don't see a file called "authorized_hosts", then create it and move the *.pub key into it with the following command.
# cat id_rsa.pub > authorized hosts
# cat id_rsa.pub >> authorized_hosts
Now you should be able to ssh from your source to destination computer without having to use a password. At this point, to completely thwart brute-force login attacks, you can edit your destination host's /etc/sshd_config file to disallow password authentication.
BE CAREFUL DOING THIS REMOTELY; CONSOLE ACCESS IS RECOMMENDED. BACK UP THE ORIGINAL SSHD_CONFIG FILE FIRST.
#PasswordAuthentication yes PasswordAuthentication no
# ssh -v desination.IP.some.where