Transcript
  • Servers and Tools

SSH Keys

From the class:  SSH

So far we've been using a password to authenticate ourselves to the remote server, but there's another thing we can use, which is a public key.

Keys are really useful, because they allow us to log in without using a password. It's a lot more secure. We can turn off password authentication completely on the remote server, which prevents other people from trying to log in by brute force attacking with different passwords. So using keys is really the way to go.

So what I'm going to do is exit out of here, and let's start off by creating our first key. We're going to use a protocol called RSA for creating a public key pair, and then use that to log in.

The first thing you need to do, if you're on a Mac, is to check out what's inside of the home directory .ssh folder. If you're just starting from scratch, it should be pretty much empty, except for maybe this known_hosts file, but if you have any keys in there, particularly, if you have an id_rsa, an id_rsa.pub file-- if you have these two files-- you can use them directly. But since they don't exist yet in my folder, I'm going to go ahead and create these from scratch.

So to do that, I can use a special program, it's called ssh-keygen, and I need to provide it one option, which is the type of key pair I want to create, and I'm going to use the RSA algorithm-- the RSA protocol to do that.

Then it'll ask me where I want to save the file, and notice, by default, it's going to put it into the .ssh folder, and it's going to call the file id_rsa. So this will be kind of like my standard key that I can use for any number of services. It could be for GitHub, for example, or some other service, but I'm going to use it, also, to log into this remote machine.

So I'll just accept these defaults by pressing Enter, and then it'll ask me if I want to protect the file with a passphrase. You probably do want to add a passphrase here, in case somebody takes your laptop, but I'm just going to press Enter, and when that is all said and done, if we look inside of the .ssh folder, notice we have two new files now-- id_rsa and id_rsa.pub.

Now, pub stands for public, and in a public key encryption system, this public key can be distributed anywhere. It can be public to the world-- anybody can see it-- but this one here is private, so we want to keep that on our local machine, and we want to keep it hidden from any other people. And you want to make sure that only the user that's supposed to use this file has read and write privileges, and notice that everybody else does not.

Next up, what we need to do is to take this public key, and we need to upload it to the server, and we're going to store it into a special file called authorized_keys, which is going to be in the .ssh folder of the user, so in this case, it's going to be cmather. And in that home folder, in .ssh authorized_keys, we're going to put the contents of this file.

Now, the program that's running on the server-- the SSH server-- is going to know to look in this file, and when we try to authenticate with our key from our Macintosh, it'll work so long as this public key is in this file.

So let's go ahead and get it up to the server using the techniques that we learned in the last video. What I'll do is, we can cat-- actually, what I'll do is use ssh directly. So this time around, we're going to use password authentication, so I'll log in as cmather at the normal address, and then the command that I'm going to run is to cat.

Let's first make the directory. We want to make sure that the .ssh folder exists, and then we're going to cat standard input out to-- we can even append it, just in case the foot file already exists-- .ssh authorized_keys, and then we're going to send into that the file id_rsa.pub. Remember to send up the public file, not the private one.

OK. So now we should have our authorized key file, and let's just log in and make sure that that's true.

Now, notice this time, right away, I don't actually get asked for a password, and that's because, by default, SSH is going to try to use this id_rsa key to get in, and it found one, and so it's not asking me for a password at all. So it looks like this worked properly, and let's just go into the .ssh folder. Let's make sure that it exists, first of all. And if we change into it, we should see that we have this authorized key file, and if I cat it out to standard output, notice that it now has the contents of my public key that we created earlier. So we were successfully able to upload our public key to the server and store it in authorized_keys.

Now, you'll need to do this-- you'll need to create an authorized key file-- for each user, and notice that the authorized key file is in the cmather home folder. So that is where we put this, and it's for each individual user. So this is a lot more convenient than what we were doing before with passwords.

Now, if you're unable to do this directly, if the id_rsa file, for example, is named something different, or for whatever reason ssh can't find it, you can provide another option, which is the i option, and then provide a path to the identity file. So in this case, it would be in the home directory, with tilde .ssh id_rsa dot-- well, no, it's the private one we'll use here. So we're going to use the private one, and when I press Enter, that'll explicitly tell SSH to use this key in order to log in.

One last small detail, this private key here that we're using in the identity option is not sent up to the server, so this is not going to cross over the wire, it's just used locally, and only the public key gets sent up to the server, and the public key can be open to the world. You could even email it to someone if you wanted to-- no big deal-- but the private key stays local.

So hopefully this shows you that keys are a lot easier to work with than entering in passwords, but they're are also a lot more secure, so just about everyone is going to be using keys with SSH. Hopefully this will give you a better sense of how to create them and use them yourself.