{"id":132,"date":"2017-11-11T18:14:27","date_gmt":"2017-11-11T17:14:27","guid":{"rendered":"https:\/\/www.soft-toolware.net\/?p=132"},"modified":"2021-01-13T22:21:22","modified_gmt":"2021-01-13T21:21:22","slug":"ssh-public-key-authentication","status":"publish","type":"post","link":"https:\/\/www.soft-toolware.net\/?p=132","title":{"rendered":"ssh Public Key Authentication using ssh-keygen"},"content":{"rendered":"<div class=\"WordSection1\">\n<h6 class=\"MsoNormal\"><span lang=\"EN\" style=\"font-size: 13.5pt; line-height: 115%; font-family: 'Arial','sans-serif'; color: black;\">This post is based on differnet articles from <a href=\"https:\/\/www.ssh.com\">www.ssh.com<\/a>.<\/span><\/h6>\n<p class=\"MsoNormal\"><span lang=\"EN\" style=\"font-size: 13.5pt; line-height: 115%; font-family: 'Arial','sans-serif'; color: black;\">The motivation for using public key authentication for ssh-Login over simple passwords is security. Public key authentication provides cryptographic strength that even extremely long passwords cannot.<\/span><\/p>\n<h5>SSH Keys and Public Key Authentication<\/h5>\n<p>The SSH protocol uses public key cryptography for authenticating hosts and users. The authentication keys, called SSH keys, are created using the <em>keygen<\/em> program. SSH introduced public key authentication as a more secure\u00a0 alternative to the older <em>.rhosts<\/em> authentication.<br \/>\nIt improved security by avoiding the need to have password stored in files, and eliminated the possibility of a compromised server stealing the user&#8217;s<br \/>\npassword.<\/p>\n<p>However, SSH keys are authentication credentials just like passwords. Thus, they must be managed somewhat analogously to user names and passwords. They should have a proper termination process so that keys are removed when no longer needed.<\/p>\n<h5>Key Pair &#8211; Public and Private<\/h5>\n<p>In the SSH public key authentication use case, it is rather typical that the users create (i.e. provision) the key pair for themselves. SSH implementations include easily usable utilities for this (for more information see ssh-keygen and ssh-copy-id).<\/p>\n<p>Each SSH key pair includes two keys:<\/p>\n<ul>\n<li>A public key that is copied to the SSH server(s). Anyone with a copy of the public key can encrypt data which can then only be read by the person who holds the corresponding private key. Once an SSH server receives a public key from a user and considers the key trustworthy, the server marks the key as authorized in its authorized_keys file. Such keys are called authorized<br \/>\nkeys.<\/li>\n<li>A private key that remains (only) with the user. The possession of this key is proof of the user&#8217;s identity. Only a user in possession of a private key that<br \/>\ncorresponds to the public key at the server will be able to authenticate<br \/>\nsuccessfully. <strong><u>The private keys need to be stored and handled carefully, and no copies of the private key should be distributed.<\/u><\/strong> The private keys used for user authentication are called identity keys.<\/li>\n<\/ul>\n<h5><span lang=\"EN\">What Is ssh-keygen?<\/span><\/h5>\n<p class=\"MsoNormal\"><span lang=\"EN\">This document is about OpenSSH version of`ssh-keygen`. If you wish to generate keys for PuTTY, see PuTTYgen on Windows or PuTTYgen on Linux.\u00a0 Ssh-keygen is a tool for creating new authentication key pairs for SSH. Such key pairs are used for automating logins, single sign-on, and for authenticating hosts.<\/span><\/p>\n<h5><span lang=\"EN\">Creating an SSH Key Pair for User Authentication<\/span><\/h5>\n<p class=\"MsoNormal\" style=\"line-height: 150%;\"><span lang=\"EN\">The simplest way to generate a key pair is to run <i>ssh-keygen<\/i> without arguments. In this case, it will prompt for the file in which to store keys. Here&#8217;s an example:<\/span><\/p>\n<div style=\"border: solid #DDDDDD 1.5pt; padding: 11.0pt 11.0pt 11.0pt 11.0pt; background: black;\">\n<p class=\"MsoNormal\" style=\"margin-bottom: .0001pt; line-height: 150%; background: black; word-break: break-all; border: none; padding: 0cm;\"><span lang=\"EN\" style=\"font-size: 10.0pt; line-height: 150%; font-family: 'Courier New'; color: lime;\">box01:~$ ssh-keygen<\/span><\/p>\n<p class=\"MsoNormal\" style=\"margin-bottom: .0001pt; line-height: 150%; background: black; word-break: break-all; border: none; padding: 0cm;\"><span lang=\"EN\" style=\"font-size: 10.0pt; line-height: 150%; font-family: 'Courier New'; color: lime;\">Generating public\/private rsa key pair.<\/span><\/p>\n<p class=\"MsoNormal\" style=\"margin-bottom: .0001pt; line-height: 150%; background: black; word-break: break-all; border: none; padding: 0cm;\"><span lang=\"EN\" style=\"font-size: 10.0pt; line-height: 150%; font-family: 'Courier New'; color: lime;\">Enter file in which to save the key (\/home\/userfoo\/.ssh\/id_rsa): <\/span><\/p>\n<p class=\"MsoNormal\" style=\"margin-bottom: .0001pt; line-height: 150%; background: black; word-break: break-all; border: none; padding: 0cm;\"><span lang=\"EN\" style=\"font-size: 10.0pt; line-height: 150%; font-family: 'Courier New'; color: lime;\">Enter passphrase (empty for no passphrase): <\/span><\/p>\n<p class=\"MsoNormal\" style=\"margin-bottom: .0001pt; line-height: 150%; background: black; word-break: break-all; border: none; padding: 0cm;\"><span lang=\"EN\" style=\"font-size: 10.0pt; line-height: 150%; font-family: 'Courier New'; color: lime;\">Enter same passphrase again: <\/span><\/p>\n<p class=\"MsoNormal\" style=\"margin-bottom: .0001pt; line-height: 150%; background: black; word-break: break-all; border: none; padding: 0cm;\"><span lang=\"EN\" style=\"font-size: 10.0pt; line-height: 150%; font-family: 'Courier New'; color: lime;\">Your identification has been saved in \/home\/userfoo\/.ssh\/id_rsa.<\/span><\/p>\n<p class=\"MsoNormal\" style=\"margin-bottom: .0001pt; line-height: 150%; background: black; word-break: break-all; border: none; padding: 0cm;\"><span lang=\"EN\" style=\"font-size: 10.0pt; line-height: 150%; font-family: 'Courier New'; color: lime;\">Your public key has been saved in \/home\/userfoo\/.ssh\/id_rsa.pub.<\/span><\/p>\n<p class=\"MsoNormal\" style=\"margin-bottom: .0001pt; line-height: 150%; background: black; word-break: break-all; border: none; padding: 0cm;\"><span lang=\"EN\" style=\"font-size: 10.0pt; line-height: 150%; font-family: 'Courier New'; color: lime;\">The key fingerprint is:<\/span><\/p>\n<p class=\"MsoNormal\" style=\"margin-bottom: .0001pt; line-height: 150%; background: black; word-break: break-all; border: none; padding: 0cm;\"><span lang=\"EN\" style=\"font-size: 10.0pt; line-height: 150%; font-family: 'Courier New'; color: lime;\">SHA256:Up6KjbnEV4HgdljsaljdsalM393QdQsK3Z0aTNBz0DoirrW+c userfoo@box01<\/span><\/p>\n<p class=\"MsoNormal\" style=\"margin-bottom: .0001pt; line-height: 150%; background: black; word-break: break-all; border: none; padding: 0cm;\"><span lang=\"EN\" style=\"font-size: 10.0pt; line-height: 150%; font-family: 'Courier New'; color: lime;\">The key&#8217;s randomart image is:<\/span><\/p>\n<p class=\"MsoNormal\" style=\"margin-bottom: .0001pt; line-height: 150%; background: black; word-break: break-all; border: none; padding: 0cm;\"><span lang=\"EN\" style=\"font-size: 10.0pt; line-height: 150%; font-family: 'Courier New'; color: lime;\">+&#8212;[RSA 2048]&#8212;-+<\/span><\/p>\n<p class=\"MsoNormal\" style=\"margin-bottom: .0001pt; line-height: 150%; background: black; word-break: break-all; border: none; padding: 0cm;\"><span lang=\"EN\" style=\"font-size: 10.0pt; line-height: 150%; font-family: 'Courier New'; color: lime;\">|\u00a0\u00a0\u00a0 .\u00a0\u00a0\u00a0\u00a0\u00a0 ..oo..|<\/span><\/p>\n<p class=\"MsoNormal\" style=\"margin-bottom: .0001pt; line-height: 150%; background: black; word-break: break-all; border: none; padding: 0cm;\"><span lang=\"EN\" style=\"font-size: 10.0pt; line-height: 150%; font-family: 'Courier New'; color: lime;\">|\u00a0\u00a0 . . .\u00a0 . .o.X.|<\/span><\/p>\n<p class=\"MsoNormal\" style=\"margin-bottom: .0001pt; line-height: 150%; background: black; word-break: break-all; border: none; padding: 0cm;\"><span lang=\"EN\" style=\"font-size: 10.0pt; line-height: 150%; font-family: 'Courier New'; color: lime;\">|\u00a0\u00a0\u00a0 . . o.\u00a0 ..+ B|<\/span><\/p>\n<p class=\"MsoNormal\" style=\"margin-bottom: .0001pt; line-height: 150%; background: black; word-break: break-all; border: none; padding: 0cm;\"><span lang=\"EN\" style=\"font-size: 10.0pt; line-height: 150%; font-family: 'Courier New'; color: lime;\">|\u00a0\u00a0\u00a0 @.B&#8230;\u00a0\u00a0\u00a0\u00a0 . |<\/span><\/p>\n<p class=\"MsoNormal\" style=\"margin-bottom: .0001pt; line-height: 150%; background: black; word-break: break-all; border: none; padding: 0cm;\"><span lang=\"EN\" style=\"font-size: 10.0pt; line-height: 150%; font-family: 'Courier New'; color: lime;\">|\u00a0\u00a0 o.=. o. . .\u00a0 .|<\/span><\/p>\n<p class=\"MsoNormal\" style=\"margin-bottom: .0001pt; line-height: 150%; background: black; word-break: break-all; border: none; padding: 0cm;\"><span lang=\"EN\" style=\"font-size: 10.0pt; line-height: 150%; font-family: 'Courier New'; color: lime;\">|\u00a0\u00a0\u00a0 .oo\u00a0 E. . .. |<\/span><\/p>\n<p class=\"MsoNormal\" style=\"margin-bottom: .0001pt; line-height: 150%; background: black; word-break: break-all; border: none; padding: 0cm;\"><span lang=\"EN\" style=\"font-size: 10.0pt; line-height: 150%; font-family: 'Courier New'; color: lime;\">+&#8212;-[SHA256]&#8212;&#8211;+<\/span><\/p>\n<p class=\"MsoNormal\" style=\"margin-bottom: .0001pt; line-height: 150%; background: black; word-break: break-all; border: none; padding: 0cm;\"><span lang=\"EN\" style=\"font-size: 10.0pt; line-height: 150%; font-family: 'Courier New'; color: lime;\">box01:~$<\/span><\/p>\n<\/div>\n<p class=\"MsoNormal\" style=\"line-height: 150%;\"><span lang=\"EN\">First, the tool asked where to save the file. SSH keys for user authentication are usually stored in the user&#8217;s .ssh directory under the home directory. However, in enterprise environments, the location is often different. The default key file name depends on the algorithm, in this case <i>id_rsa<\/i> when using the default RSA algorithm. It could also be, for example, <i>id_dsa<\/i> or <i>id_ecdsa.<\/i><\/span><\/p>\n<p class=\"MsoNormal\" style=\"line-height: 150%;\"><span lang=\"EN\">Then it asks to enter a <\/span><span lang=\"EN\" style=\"color: windowtext; text-decoration: none;\">passphrase<\/span><span lang=\"EN\">. The passphrase is used for encrypting the key, so that it cannot be used even if someone obtains the private key file. The passphrase should be cryptographically strong. <\/span><\/p>\n<p class=\"MsoNormal\" style=\"line-height: 150%;\"><span lang=\"EN\">SSH supports several public key algorithms for authentication keys. These include:<\/span><\/p>\n<ul>\n<li><b><span lang=\"EN\">rsa<\/span><\/b><span lang=\"EN\"> &#8211; an old algorithm based on the difficulty of factoring large numbers. A key size of at least 2048 bits is recommended for RSA; 4096 bits is better. RSA is getting old and significant advances are being made in factoring. Choosing a different algorithm may be advisable. It is quite possible the RSA algorithm will become practically breakable in the foreseeable future. All SSH clients support this algorithm.<\/span><\/li>\n<li><b><span lang=\"EN\">dsa<\/span><\/b><span lang=\"EN\"> &#8211; an old US government Digital Signature Algorithm. DSA in its original form is no longer recommended.<\/span><\/li>\n<li><b><span lang=\"EN\">ecdsa<\/span><\/b><span lang=\"EN\"> &#8211; a new Digital Signature Algorithm standardized by the US government, using elliptic curves. Most SSH clients now support this algorithm.<\/span><\/li>\n<li><b><span lang=\"EN\" style=\"color: windowtext;\">ed25519<\/span><\/b><span lang=\"EN\" style=\"color: windowtext;\"> &#8211; this is a new algorithm added in OpenSSH. Support for it in clients is not yet universal. Thus its use in general purpose applications<br \/>\nmay not yet be advisable<\/span><span lang=\"EN\" style=\"font-size: 13.5pt; line-height: 150%; font-family: 'Arial','sans-serif';\">.<\/span><\/li>\n<\/ul>\n<p class=\"MsoNormal\" style=\"line-height: 150%;\"><span lang=\"EN\">The algorithm is selected using the -t option and key size using the -b option. The following commands illustrate:<\/span><\/p>\n<div style=\"border: solid #DDDDDD 1.5pt; padding: 11.0pt 11.0pt 11.0pt 11.0pt; background: black;\">\n<p class=\"MsoNormal\" style=\"margin-bottom: .0001pt; line-height: 150%; background: black; word-break: break-all; border: none; padding: 0cm;\"><span style=\"font-size: 10.0pt; line-height: 150%; font-family: 'Courier New'; color: lime;\">ssh-keygen<br \/>\n-t rsa -b 4096<\/span><\/p>\n<p class=\"MsoNormal\" style=\"margin-bottom: .0001pt; line-height: 150%; background: black; word-break: break-all; border: none; padding: 0cm;\"><span lang=\"EN\" style=\"font-size: 10.0pt; line-height: 150%; font-family: 'Courier New'; color: lime;\">ssh-keygen -t dsa<\/span><\/p>\n<p class=\"MsoNormal\" style=\"margin-bottom: .0001pt; line-height: 150%; background: black; word-break: break-all; border: none; padding: 0cm;\"><span style=\"font-size: 10.0pt; line-height: 150%; font-family: 'Courier New'; color: lime;\">ssh-keygen<br \/>\n-t ecdsa -b 521<\/span><\/p>\n<p class=\"MsoNormal\" style=\"margin-bottom: .0001pt; line-height: 150%; background: black; word-break: break-all; border: none; padding: 0cm;\"><span lang=\"EN\" style=\"font-size: 10.0pt; line-height: 150%; font-family: 'Courier New'; color: lime;\">ssh-keygen -t ed25519<\/span><\/p>\n<\/div>\n<p class=\"MsoNormal\" style=\"line-height: 150%;\"><span lang=\"EN\">Normally, the tool prompts for the file in which to store the key. However, it can also be specified on the command line using the -f &lt;filename&gt; option.<\/span><\/p>\n<div style=\"border: solid #DDDDDD 1.5pt; padding: 11.0pt 11.0pt 11.0pt 11.0pt; background: black;\">\n<p class=\"MsoNormal\" style=\"margin-bottom: .0001pt; line-height: 150%; background: black; word-break: break-all; border: none; padding: 0cm;\"><span lang=\"EN\" style=\"font-size: 10.0pt; line-height: 150%; font-family: 'Courier New'; color: lime;\">ssh-keygen -f ~\/mykey-key-ecdsa -t ecdsa -b 521<\/span><\/p>\n<\/div>\n<h5><span lang=\"EN\">Copying the Public Key to the Server<\/span><\/h5>\n<p class=\"MsoNormal\" style=\"line-height: 150%;\"><span lang=\"EN\">To use public key authentication, the public key must be copied to a server and installed in an <i>authorized_keys<\/i> file. This can be conveniently done using the <i>ssh-copy-id<\/i> tool. Like this:<\/span><\/p>\n<div style=\"border: solid #DDDDDD 1.5pt; padding: 11.0pt 11.0pt 11.0pt 11.0pt; background: black;\">\n<p class=\"MsoNormal\" style=\"margin-bottom: .0001pt; line-height: 150%; background: black; word-break: break-all; border: none; padding: 0cm;\"><span lang=\"EN\" style=\"font-size: 10.0pt; line-height: 150%; font-family: 'Courier New'; color: lime;\">ssh-copy-id -i ~\/.ssh\/id_rsa.pub user@host<\/span><\/p>\n<\/div>\n<p class=\"MsoNormal\" style=\"line-height: 150%;\"><span lang=\"EN\">Once the public key has been configured on the server, the server will allow any connecting user that has the private key to log in. During the login process, the client proves possession of the private key by digitally signing the key exchange.<\/span><\/p>\n<h5><span lang=\"EN\">Location of the Authorized Keys File<\/span><\/h5>\n<p class=\"MsoNormal\" style=\"line-height: 150%;\"><span lang=\"EN\">With OpenSSH, the authorized keys are by default configured in\u00a0 <i>.ssh\/authorized_keys<\/i> in the user&#8217;s home directory. The AuthorizedKeysFile configuration option in <i>\/etc\/ssh\/sshd_config<\/i> specifies where the SSH server looks for authorized keys. The option may contain more than one location, separated by spaces. %% is replaced by literal %, %h by the home directory of the user being authenticated, and %u by the login name of the user. For example, <i>\/var\/ssh\/%u\/ak<\/i> would cause the SSH server to look for authorized keys for the user james from <i>\/var\/ssh\/james\/ak.<\/i><\/span><\/p>\n<h5><span lang=\"EN\">Format of the Authorized Keys File<\/span><\/h5>\n<p class=\"MsoNormal\" style=\"line-height: 150%;\"><span lang=\"EN\">In OpenSSH, a user&#8217;s authorized keys file lists keys that are authorized for authenticating as that user, one per line. Lines starting with # and empty lines are ignored.<\/span><\/p>\n<p class=\"MsoNormal\" style=\"line-height: 150%;\"><span lang=\"EN\">Each line contains a public SSH key. The public key may be preceded by options that control what can be done with the key. The all options supported see the man pages.<\/span><\/p>\n<h5><span lang=\"EN-US\">How To Use Putty with an SSH Private Key Generated by OpenSSH<\/span><\/h5>\n<p class=\"MsoNormal\" style=\"line-height: 145%; background: white;\"><span lang=\"EN\">Putty cannot use key-files generated by ssh-keygen. If you try to use such a file you will get the following error:<\/span><\/p>\n<p class=\"MsoNormal\" style=\"text-indent: 35.4pt;\"><span lang=\"EN\">Unable to use key file &#8220;C:\\Keys\\id_rsa&#8221; (OpenSSH SSH-2 private key)<\/span><\/p>\n<p class=\"MsoNormal\" style=\"line-height: 145%; background: white;\"><b><span lang=\"EN\">You have to convert ssh-keygen generated keys to a Putty readable format<\/span><\/b><span lang=\"EN\">. <\/span><\/p>\n<p class=\"MsoNormal\" style=\"line-height: 145%; background: white;\"><span lang=\"EN\">For this conversion you can use the Putty Key Generator (puttygen<\/span><span lang=\"EN\">). Start puttygen, and click on <i>Conversions-&gt;Import key<\/i>, then click Browse and select the private key generated with openssh (e.g. id_rsa).<br \/>\n<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-137\" src=\"https:\/\/www.soft-toolware.net\/wp-content\/uploads\/2017\/11\/PuttyGen01.jpg\" alt=\"\" width=\"281\" height=\"252\" \/><\/p>\n<p class=\"MsoNormal\" style=\"line-height: 145%; background: white;\"><span lang=\"EN\">Then simply save the converted private key under a meaningful new name (e.g. id_rsa_putty.ppk). Now you can start Putty, enter the machine IP address as usual and \u00a0then go to <i>Connection-&gt;SSH-&gt;Auth<\/i>.<br \/>\n<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-138\" src=\"https:\/\/www.soft-toolware.net\/wp-content\/uploads\/2017\/11\/PuttyGen02.jpg\" alt=\"\" width=\"355\" height=\"317\" srcset=\"https:\/\/www.soft-toolware.net\/wp-content\/uploads\/2017\/11\/PuttyGen02.jpg 355w, https:\/\/www.soft-toolware.net\/wp-content\/uploads\/2017\/11\/PuttyGen02-300x268.jpg 300w\" sizes=\"auto, (max-width: 355px) 85vw, 355px\" \/><\/p>\n<p class=\"MsoNormal\" style=\"line-height: 145%; background: white;\"><span lang=\"EN\">Click <i>Browse<\/i>, and select your just created private key file (e.g. id_rsa_putty.ppk), go back to Session and save the session. <\/span><\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>This post is based on differnet articles from www.ssh.com. The motivation for using public key authentication for ssh-Login over simple passwords is security. Public key authentication provides cryptographic strength that even extremely long passwords cannot. SSH Keys and Public Key Authentication The SSH protocol uses public key cryptography for authenticating hosts and users. The authentication &hellip; <a href=\"https:\/\/www.soft-toolware.net\/?p=132\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;ssh Public Key Authentication using ssh-keygen&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[8,9,7],"class_list":["post-132","post","type-post","status-publish","format-standard","hentry","category-tips-and-tricks","tag-linux","tag-putty","tag-ssh"],"_links":{"self":[{"href":"https:\/\/www.soft-toolware.net\/index.php?rest_route=\/wp\/v2\/posts\/132","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.soft-toolware.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.soft-toolware.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.soft-toolware.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.soft-toolware.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=132"}],"version-history":[{"count":12,"href":"https:\/\/www.soft-toolware.net\/index.php?rest_route=\/wp\/v2\/posts\/132\/revisions"}],"predecessor-version":[{"id":230,"href":"https:\/\/www.soft-toolware.net\/index.php?rest_route=\/wp\/v2\/posts\/132\/revisions\/230"}],"wp:attachment":[{"href":"https:\/\/www.soft-toolware.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=132"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.soft-toolware.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=132"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.soft-toolware.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=132"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}