SSH

From CDOT Wiki
Revision as of 00:39, 9 January 2011 by Chris Tyler (talk | contribs) (Public Key Cryptography)
Jump to: navigation, search

SSH is the Secure Shell tool, a powerful encrypted communication tool.

Using SSH with Public-Key Authentication

Although SSH can be used with passwords, a sysadmin may need to use ssh hundreds of times a day, and typing passwords that often can become tedious. SSH therefore permits authentication using public and private keys.

Public Key Cryptography

In a nutshell, public key cryptography works like this:

  1. A large random number is generated.
  2. That number is used to derive two mathematically-related but different keys. Each key is also a large number.
  3. Data can be encrypted by processing one of the keys and the data to be encrypted using an encryption algorithm. Once encrypted, the data appears to be a meaningless stream of numbers.
  4. The encrypted data cannot be decrypted using the original key, yielding the original data. However, it can be decrypted using the other key, and vice-versa.

To use public key cryptography:

  1. One key is designated as the "public key" and one is designated as the "private key".
    • The public key is distributed to all of the parties with whom you will be communicating.
    • The private key is never shared with anyone.
  2. Messages encrypted with your private key can only be decrypted with your public key, proving that the message came from you (authentication)
  3. Messages encrypted with your public key can only be decrypted with your private key, ensuring that only you can read them (privacy).
  4. To both ensure privacy and authentication on messages between you and another party, encrypt the message twice: once with your private key and once with their public key.

Practical considerations:

  1. The algorithms used in public-key cryptography are very slow. Therefore, it's common to use public key cryptography to exchange a key for a faster, symmetrical cypher, and then use that cypher for the actual data stream.
  2. Signing a message means authenticating it by taking a checksum (hash) of the message and encrypting that. This is faster than encrypting the entire message.
  3. Public key cryptography is very susceptible to the manipulation of public keys by an attacker interposed between the two parties at the time that the public keys are shared.
  4. Public key cryptography is susceptible to theft of the private key. The private key is therefore often protected with a passphrase.

Using Public Keys with SSH

Creating a Public/Private Key Pair

  1. Enter this command: ssh-keygen
    • Answer the questions asked by ssh-keygen. Use default values for most questions. The use of a passphrase is recommended.
    • ssh-keygen will produce two files:
      • ~/.ssh/id_rsa - your private key
      • ~/.ssh/id_rsa.pub - your public key

Sending the Public Key to a Remote System Administrator

  1. Mail (or otherwise send) the ~/.ssh/id_rsa.pub file to the remote system administrator.

Setting up Public Key Authentication on Two Machines

Manually:

  1. Copy the public key to the remote system you wish to access.
  2. Create the ~/.ssh directory if it does not exist.
    • Set the permission on ~/.ssh to 0700
  3. Append the public key to the file ~/authorized_keys
    • Set the permission on ~/authorized_keys to 0600

Automatically:

  1. Run the command: ssh-copy-id user@host