82.1 SSH Public Keys


The recommended secure approach for using ssh employs a public key. Use ssh-keygen to create a key (a sequence of bits or a string of random characters) that consists of a private and a public part. The private and public keys are stored as .ssh/id_rsa and .ssh/id_rsa.pub respectively. It is best to provide a passphrase to encrypt the file so that it can not be trivially compromised if the private key file is shared with or accessed by a system administrator. Store the passphrase in your password manager (see Section 79.1).

$ ssh-keygen

Generating public/private rsa key pair. 
Enter file in which to save the key (/home/kayon/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/kayon/.ssh/id_rsa. 
Your public key has been saved in /home/kayon/.ssh/id_rsa.pub. 
The key fingerprint is:
cc:50:d4:85:86:56:b8:8a:77:57:61:51:63:89:46:09 kayon@inex

A public key looks something like:

ssh-rsa AAAAE2VjZHNhLXNoY[...]D8Q= kayon@inex

The public key needs to be copied to a remote host, perhaps using ssh-copy-id if password access through ssh is enabled:

ssh-copy-id kayon@alpine.example.com

This will add the public key to the authorised keys file in /home/kayon/.ssh/authorized_keys on the remote host. Multiple keys can appear in the one file. Id the file ~/.ssh/authorized_keys is writable by anyone other than the user then ssh will exit without allowing a connection.

On a request for a connection, the remote host will use the public key to encrypt a message (a random number in fact) such that only with the private key can the message be decrypted. The message is sent back to the requesting (local) host and if it is properly decrypted and returned to the remote host for verification, the connection is allowed. A password is never used.

Some remote hosts disable password login through the configuration of the sshd sever. This will be a problem if the remote home directory is encrypted at rest. Typically the first login will need to use the password to login and decrypt the home directory. Any further logins will use the public key. This is what’s happening if you see the following in the remote host’s /var/log/auth.log:

Oct 10 20:46:29 raz sshd[2918950]: pam_ecryptfs: Passphrase file wrapped

The passphrase is optional but recommended. If supplied it will be used to unlock your private key whenever you need to use it. The command ssh-agent is useful for managing repeated requests for the passphrase.

There is also a choice of authentication algorithms to use. RSA is generally suggested today and is the default.

When you connect to the remote host using ssh your public key on that host will be used to send an encrypted message (a random number in fact) back to your local host. The local host decrypts the message using the private key stored only on the local host and decrypted using the passphrase (if any). The decrypted message is returned to the remote host for verification.

To reiterate, this method using public keys does not send passwords (or passphrases) over the network. A passphrase (if any) is used on the local host only to unlock the local private key.

Your donation will support ongoing availability and give you access to the PDF version of this book. Desktop Survival Guides include Data Science, GNU/Linux, and MLHub. Books available on Amazon include Data Mining with Rattle and Essentials of Data Science. Popular open source software includes rattle, wajig, and mlhub. Hosted by Togaware, a pioneer of free and open source software since 1984. Copyright © 1995-2022 Graham.Williams@togaware.com Creative Commons Attribution-ShareAlike 4.0