SSH
Revision as of 00:38, 9 January 2011 by Chris Tyler (talk | contribs) (→Sending the Public Key to a Remote System Administrator)
SSH is the Secure Shell tool, a powerful encrypted communication tool.
Using SSH with Public-Key Authentication
Although SSH can be used with passwords, a sysadmin may need to use ssh hundreds of times a day, and typing passwords that often can become tedious. SSH therefore permits authentication using public and private keys.
Public Key Cryptography
In a nutshell, public key cryptography works like this:
- A large random number is generated.
- That number is used to derive two mathematically-related but different keys. Each key is also a large number.
- Data can be encrypted by processing one of the keys and the data to be encrypted using an encryption algorithm. Once encrypted, the data appears to be a meaningless stream of numbers.
- The encrypted data cannot be decrypted using the original key, yielding the original data. However, it can be decrypted using the other, related key, and vice-versa.
To use public key cryptography:
- One key is designated as the "public key" and one is designated as the "private key".
- The public key is distributed to all of the parties with whom you will be communicating.
- The private key is never shared with anyone.
- Messages encrypted with your private key can only be decrypted with your public key, proving that the message came from you (authentication)
- Messages encrypted with your public key can only be decrypted with your private key, ensuring that only you can read them (privacy).
- To both ensure privacy and authentication on messages between you and another party, encrypt the message twice: once with your private key and once with their public key.
Practical considerations:
- The algorithms used in public-key cryptography are very slow. Therefore, it's common to use public key cryptography to exchange a key for a faster, symmetrical cypher, and then use that cypher for the actual data stream.
- Signing a message means authenticating it by taking a checksum (hash) of the message and encrypting that. This is faster than encrypting the entire message.
- Public key cryptography is very susceptible to the manipulation of public keys by an attacker interposed between the two parties at the time that the public keys are shared.
- Public key cryptography is susceptible to theft of the private key. The private key is therefore often protected with a passphrase.
Using Public Keys with SSH
Creating a Public/Private Key Pair
- Enter this command:
ssh-keygen
- Answer the questions asked by ssh-keygen. Use default values for most questions. The use of a passphrase is recommended.
- ssh-keygen will produce two files:
-
~/.ssh/id_rsa
- your private key -
~/.ssh/id_rsa.pub
- your public key
-
Sending the Public Key to a Remote System Administrator
- Mail (or otherwise send) the
~/.ssh/id_rsa.pub
file to the remote system administrator.
Setting up Public Key Authentication on Two Machines
Manually:
- Copy the public key to the remote system you wish to access.
- Create the
~/.ssh
directory if it does not exist.- Set the permission on
~/.ssh
to 0700
- Set the permission on
- Append the public key to the file
~/authorized_keys
- Set the permission on
~/authorized_keys
to 0600
- Set the permission on
Automatically:
- Run the command:
ssh-copy-id user@host