CSC250: Introduction to Computer Security

Public/Private Key exchange and ssh-keygen


ssh-keygen

We use the program ssh-keygen to generate public-private key pairs to secure authentication between 2 hosts. See the man page for ssh-keygen. Note that we should all be at SSH2, there is a well known vulnerability in SSH1. When we run ssh-keygen, it creates 2 keys, one named ~[username]/.ssh/id_rsa and another named ~[username]/.ssh/id_rsa.pub

When you are generating a key, you will be asked to provide a 'passphrase', we will see that if that passphrase is left blank, then a host will allow you to log into it without being challenged with a password at login time. Also note that it is possible to have a passphrase that is different than your system password. Note that PHYSICAL security (chapter 9 in our book) is required if you have public/private keys that have no passphrase. The absence of a passphrase is a problem, but not one that precludes our using it as long as we carefully consider what we are doing when implementing a Pub/Pri key pair with no passphrase. Also note, if a user who has a key on the system, has a password that is different than the passphrase contained within the key, the key's passphrase takes presedence over the user's normal password.

Generating a key pair and placing it in use

Start up a shell session on the host (client) that you will be connecting to the server on. Often we are running the X-window system on a Unix/Linux host so that we are able to use 'Cut-and-Paste' to copy our public key from the client to the server. At the command line of your client machine type:

  • ssh-keygen -t rsa
    #this generates the RSA keys which are recommended in SSH version 2, and places them in ~[HOME]/.ssh/id_rsa which is your private key and ~[HOME]/.ssh/id_rsa.pub, your public key
  • When the key is being generated, you will be asked to enter a passphrase. This passphrase overrides your system login password So, if you just press enter twice you will end up with NO passphrase and this allows you to get into another server without being challenged for a passphrase, if you place your public key into "authorized_keys" on the other server.
  • find your public key and open it in a text editor note that if you are looking at your public key it is viewable by anyone (ls -l) and if you look at your private key it is only viewable by you.
  • paste or copy your~[HOME]/.ssh/id_rsa.pub key into a file called ~[HOME]/.ssh/authorized_keys on the other server it must be pasted into the file with NO spaces or newline characters in it.
  • At this point you should be able to log into the server from your client, using the passphrase you entered when you generated the key, if you left the passphrase blank, then you will not be challenged for a password

Unix Commands for the Un-initiated

  • ssh [hostname].csit.parkland.edu #this will log you into our server if you are at a Linux(cygwin) prompt and your username is the same on both clients. Otherwise use putty which will challenge you for a username and password.
  • ssh -l [username] [host sshd server name] #logs you into server as username. Used if you have different usernames on the two systems.
  • ls -al #list all of your files
  • ssh-keygen -t rsa #creates a key with an RSA cipher
  • cd .ssh #this will take you to your .ssh directory if you have one
  • ls -l #lists the files in your .ssh directory
  • copy your ~/.ssh/id_rsa.pub on the system that you made it on, to ~/.ssh/authorized_keys on the system that you want to automatically log into, you may have to use sftp to transfer this key to the other machine. If you were to put another key in here you would have to use cut and paste instead of just copying. Often we do cut and paste, if you do you MUST make sure that your key has no line feeds in it.
  • You should now be able to ssh into [hostname].csit.parkland.edu with no password required.