SSH Keys

• About SSH keys
• Creating SSH keys
  • Generating other types of keys
  • Other options
• Adding keys to a server
• Using SSH keys

NOTE: if you’re using windows, you likely need to use git-bash or wsl for most of these commands to work.

About SSH keys

SSH keys are credentials used with SSH. SSH uses a pair of keys to unitiate a secure handshake between remote parties.

There are two types of keys:

• public

• private

The public key is given out to remote parties which is then used to encrypt data. This data can then only be opened and understood with the use of the private key.

The private key should never be shared with anyone.

Creating SSH keys

You can generate SSH keys using the ssh-keygen command.

An example of creating a default (rsa) key:

$ ssh-keygen

Generating public/private rsa key pair.
Enter file in which to save the key (/home/minno/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/minno/.ssh/id_rsa
Your public key has been saved in /home/minno/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:VO41k1QLdaoPnmUxv8u2omWeD1eVjrbiMJ3k2yBlAEE minno@shondOS
The key's randomart image is:
+---[RSA 3072]----+
|      .E. . ooo .|
|        .o . o +.|
|        ... = =..|
|       . ... +o+.|
|        S .+ooo.o|
|          *.o*. o|
|         + *o=.o |
|          = O.=..|
|           +.++=.|
+----[SHA256]-----+

This will create a public key ~/.ssh/id_rsa.pub and a private key ~/.ssh/id_rsa (unless you specify another path).

NOTE: if the paths to the public and private key already exist, they will be deleted.

Do not share the private key with anyone. It is recommended you put a passphrase on the key, this will prevent the use of the private key unless the passphrase is also known.

Your public key will look something like:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCw0qTs5TjtY8OII8BRUJ9CktahS57TYV9TsqEJmMhjvW2FAvweHQdFkmYylwOL6npTWzASKvUPtjcxzqbfPRPAINB9FpuxrcnvYwKZ2pf9XKGjUt0T2TLGeJy+yTOvldrEw3zPaZ/qIJpiX9ZXG4wdqevZXBoKuiiuIi7iysxJD9SJR6WX4lgw7S9AGjawDILjuTze/nELN84jKG95ZC3pV6RhEiWoxs5Tk+4pF2Be+QTOdF4ivBnMo55SYQwEvkgJQuX671QRE57yftCjcOf/PtJ4N4rInuOPKTnNvrjcLacXeGYEhQjT7tvDHYikbHCG9kS/LT0siyyuD4XJJ/P6A/sKeO9mo8+dVhqm78y39lwPmphbO81Om/YU40nTAUyTpj8G/IwtRaayUQSk1UBtdrhG7exnd26+sfgjerPGWl1mb8txpBES3flbVcEHiJcRPJ6CEqurIDnuVhBnELBNBHo4zbB53QMa1fPGlzbBZatZQ49EETS2I+SCtFtxalU= minno@shondOS

Generating other types of keys

You can use the -t argument to specify the type of key to create.

The available options are:

• rsa
• ecdsa
• ecdsa-sk
• ed25519
• ed25519-sk

Different types of keys have different advantages. A popular choice and my preference is ed25519. It is considered faster and a better choice than default rsa keys. If you don’t have legacy concerns this is recommended.

Example:

$ ssh-keygen -t ed25519

Other options

You can use -C to put a comment on the key, this will help you identify where and what the key is used for.

Adding keys to a server

To make use of SSH keys, you must first give your public key to the server you are trying to authenticate with. There are 2 methods of adding keys to a server.

The easiest way is to use the ssh-copy-id command:

$ ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.105.2.26

You will then be prompted to enter the password for the server and your key will be added to the list of authorized keys.

The alternative method to using ssh-copy-id is by manually adding the public key to the server’s authorized_keys file. This is usually located in ~/.ssh/authorized_keys.

Just cat out the public key, and paste the contents on a new line in the file to add your key. You can also remove other keys from this file to unauthorize them.

The file should have 1 key per line, and looks something like:

$ cat authorized_keys

ssh-ed25519 AAAAC3NzaC1lZDIlNTE5AAAAIJpnjYPeBwpptVU48oMqdYNr1NZUXUzRN4dDTzYNr1N ubuntu
ssh-ed25519 AABBC5NzaC1lZDIOlNTE5AAbaIJpnjYPeBwMqdZUXUtVU48ozRN4dD5YxwKC9Tz5Yxw somename
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCw0qTs5TjtY8OII8BRUJ9CktahS57TYV9TsqEJmMhjvW2FAvweHQdFkmYylwOL6npTWzASKvUPtjcxzqbfPRPAINB9FpuxrcnvYwKZ2pf9XKGjUt0T2TLGeJy+yTOvldrEw3zPaZ/qIJpiX9ZXG4wdqevZXBoKuiiuIi7iysxJD9SJR6WX4lgw7S9AGjawDILjuTze/nELN84jKG95ZC3pV6RhEiWoxs5Tk+4pF2Be+QTOdF4ivBnMo55SYQwEvkgJQuX671QRE57yftCjcOf/PtJ4N4rInuOPKTnNvrjcLacXeGYEhQjT7tvDHYikbHCG9kS/LT0siyyuD4XJJ/P6A/sKeO9mo8+dVhqm78y39lwPmphbO81Om/YU40nTAUyTpj8G/IwtRaayUQSk1UBtdrhG7exnd26+sfgjerPGWl1mb8txpBES3flbVcEHiJcRPJ6CEqurIDnuVhBnELBNBHo4zbB53QMa1fPGlzbBZatZQ49EETS2I+SCtFtxalU= minno@shondOS

Using SSH keys

When connecting to the server, you just need to specify the private key:

$ ssh -i ~/.ssh/id_rsa root@172.105.2.26

And you will be signed in automatically.

More information about using SSH can be found in the SSH Client post.