CSC250: Introduction to Computer Security
Public/Private Key exchange and ssh-keygen
We use the program ssh-keygen to generate public-private key
pairs to secure authentication between 2 hosts. See the
man page for ssh-keygen. Note that we should all be at SSH2, there is a well known vulnerability in SSH1. When we run ssh-keygen, it creates 2 keys, one named ~[username]/.ssh/id_rsa and another named ~[username]/.ssh/id_rsa.pub
When you are generating a key, you will be asked to provide a
'passphrase', we will see that if that passphrase is left blank, then a
host will allow you to log into it without being challenged with a
password at login time. Also note that it is possible to have a passphrase
that is different than your system password. Note that PHYSICAL security
(chapter 9 in our book)
is required if you have public/private keys that have no passphrase. The
absence of a passphrase is a problem, but not one that precludes our using
it as long as we carefully consider what we are doing when implementing a
Pub/Pri key pair with no passphrase. Also note, if a user who has a key on the system, has a password that
is different than the passphrase contained within the key, the key's
passphrase takes presedence over the user's normal password.
Generating a key pair and placing it in use
Start up a shell session on the host (client) that you will be
connecting to the server on. Often we are running the X-window system on a
Unix/Linux host so that we are able to use 'Cut-and-Paste' to copy our
public key from the client to the server.
At the command line of your client machine type:
- ssh-keygen -t rsa
#this generates the RSA keys which are recommended in
SSH version 2, and places them in
~[HOME]/.ssh/id_rsa which is your private key
and ~[HOME]/.ssh/id_rsa.pub, your public key
- When the key is being generated, you will be asked to enter a
passphrase. This passphrase overrides your system login password
So, if you just press enter twice you will end up with NO passphrase and
this allows you to get into another server without being challenged for a passphrase, if you place your public key into "authorized_keys" on the other server.
- find your public key and open it in a text editor note that if you are
looking at your public key it is viewable by anyone (ls -l) and if you look
at your private key it is only viewable by you.
- paste or copy your~[HOME]/.ssh/id_rsa.pub key into a file called ~[HOME]/.ssh/authorized_keys on the other server
it must be pasted into the file with NO spaces or newline characters in
- At this point you should be able to log into the server from your client,
using the passphrase you entered when you generated the key, if you left the
passphrase blank, then you will not be challenged for a password
Unix Commands for the Un-initiated
- ssh [hostname].csit.parkland.edu #this will log you into our server if you
are at a Linux(cygwin) prompt and your username is the same on both clients. Otherwise use putty which will challenge you for a username and password.
- ssh -l [username] [host sshd server name] #logs you into server
as username. Used if you have different usernames on the two systems.
- ls -al #list all of your files
- ssh-keygen -t rsa #creates a key with an RSA cipher
- cd .ssh #this will take you to your .ssh directory if you have
- ls -l #lists the files in your .ssh directory
- copy your ~/.ssh/id_rsa.pub on the system that you made it on, to ~/.ssh/authorized_keys on the system that you want to automatically log into, you may have to use sftp to transfer this key to the other machine.
If you were to put another key in here you would have to use cut and paste instead of just copying. Often we do cut and paste, if you do you MUST make sure that your key has no line feeds in it.
- You should now be able to ssh into [hostname].csit.parkland.edu with no password