Posted: September 24, 2020 | | by Tyler Carrigan (Editorial Team, Red Hat)
If you have ever worked as a sysadmin (or you want to in the future), you need a good grasp of SSH. I will not run you through the general concept as it has already been hashed out here at Enable Sysadmin. However, I do want to look at a potentially better way to use it. SSH is the single most used remote access protocol in the world. Therefore, it makes sense that we should try to improve its use as much as possible.
I used SSH to remotely connect to thousands of customer machines during my time as a support engineer, and I am sure that others have had a similar experience. With traditional SSH authentication, you need the username and password for the account you want to log in to every time that you wish to access a system. Doesn't sound that bad, right? But, what happens when you need to jump back and forth between systems regularly? Or what if your responsibilities include remote sessions to the same 100 systems throughout the day for health checks? There is another way to accomplish the log in, and with a little upfront investment, it can be far more efficient overall.
Process hardening
It is objectively true that an encrypted key is a much harder target than a username and password for those with ill intentions. Although it can take a little learning, creating and using SSH key-based authentication is worth the investment for every sysadmin.
Here is how it works. You generate a public key and a matching private key. The private key file acts as a password and should be kept safe. However, the public key is copied to the target systems that you connect to regularly. You place the public key in your account home directory on the target server. When you try to log in, the keys are verified, and access is granted.
Now, there are two ways that you can do this. One is more convenient, and the other is a bit tedious but with added protection to you. The convenient way is not to specify a password along with the private key. The result is that you do not have to enter a password when you use your private key for authentication. This means that if someone gets their hands on your private key, they can use it to authenticate, as well. The other method is to password-protect your private key so that you are prompted for the password when authenticating (think two-factor authentication using both the private key and the password).
ssh-keygen without a password
To generate an SSH key pair, use the following command:
[user@host ~]$ ssh-keygenGenerating public/private rsa key pair.Enter file in which to save the key (/home/user/.ssh/id_rsa): EnterCreated directory '/home/user/.ssh'.Enter passphrase (empty for no passphrase): EnterEnter same passphrase again: EnterYour identification has been saved in /home/user/.ssh/id_rsa.Your public key has been saved in /home/user/.ssh/id_rsa.pub.The key fingerprint is:SHA256:veutUNPio3QDCyvkYm1oIx35hmMrHpPKWFdIYu3HV+w user@host.lab.example.comThe key's randomart image is:+---[RSA 2048]----+| || . . || o o o || . = o o . || o + = S E . || ..O o + * + ||.+% O . + B . ||=*oO . . + * ||++. . +. |+----[SHA256]-----+
By default, your private and public keys are saved in your ~/.ssh/id_rsa
and ~/.ssh/id_rsa.pub
files, respectively.
ssh-keygen with a password
Creating a password-protected key looks something like this:
[user@host ~]$ ssh-keygen -f .ssh/key-with-passwordGenerating public/private rsa key pair.Enter passphrase (empty for no passphrase):Enter same passphrase again:Your identification has been saved in .ssh/key-with-password.Your public key has been saved in .ssh/key-with-password.pub.The key fingerprint is:SHA256:s7GGB7EyHUry4aOcNPKmhNKS7dl1YsMVLvFZJ77VxAo user@host.lab.example.comThe key's randomart image is:+---[RSA 2048]----+| . + =.o ... || = B XEo o. || . o O X =.... || = = = B = o. ||= + * * S . ||.+ = o + . || + . || || |+----[SHA256]-----+
Use the -f
option to specify the file where the keys will be saved. In the example above, the private and public keys are stored in the /home/user/.ssh/key-with-pass
and /home/user/.ssh/key-with-pass.pub
files, respectively.
Warning
During further SSH key pair generation, if you do not specify a unique file name, you are prompted for permission to overwrite the existing
id_rsa
andid_rsa.pub
files. If you overwrite the existingid_rsa
andid_rsa.pub
files, you must then replace the old public key with the new one on ALL of the SSH servers that have your old public key.
Once you have generated the keys, they are stored in the /user/home/.ssh/
directory with the following permissions:
- Private key - 600
- Public key - 644
You aren't done yet. Let's look at the final step in successful SSH key-based authentication.
Sharing keys
For all of this to work, you need to share your public key with the remote machines you are trying to SSH to. Use the ssh-copy-id
command to copy your public key over to the destination system. By default, the file path is /home/user/.ssh/id_rsa.pub
. You issue the command, specify the file you are sharing, then the user/host we are sharing it with. It should look like this:
[user@host ~] $ ssh-copy-id -i .ssh/key-with-pass.pub user@destination/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/user/.ssh/id_rsa.pub"/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keysuser@destination password: changemeNumber of key(s) added: 1
Now that you have shared the public key with the destination host, you can authenticate to the remote server by passing the matching private key. If you specified a file path for your private key, you need to give it here. Otherwise, it defaults to /home/_user_/.ssh/id_rsa
.
Seen here:
[user@host ~]$ ssh -i .ssh/key-with-password user@desinationEnter passphrase for key '.ssh/key-with-password' : password here if you set one[user@destination ~] $
Advantages and summary
The advantages of using SSH key-based authentication are clear. Passwords are stolen every day, mainly due to human error but also due to attacker skill and determination. An encrypted key, and more specifically, a password-protected encrypted key, makes your SSH authentication even more difficult to attack. You still need to strike a balance of availability and security, but that is handled differently in every environment.
[ Free online course: Red Hat Enterprise Linux technical overview. ]
Topics: Linux Security
As a seasoned professional with extensive experience in IT support and system administration, particularly in the realm of remote access and security, I can attest to the critical role SSH plays in everyday operations. My background includes a tenure as a support engineer, during which I remotely connected to numerous customer machines. This hands-on experience has afforded me insights into the challenges faced by sysadmins and the importance of optimizing tools like SSH for efficient and secure remote access.
The article by Tyler Carrigan emphasizes the significance of SSH in the context of system administration and introduces a potentially superior method of utilizing it. I wholeheartedly agree with the author's assertion that SSH is the most widely used remote access protocol globally. However, I want to delve deeper into the concept of SSH key-based authentication, a topic I am well-versed in.
SSH key-based authentication involves the generation of a public-private key pair, where the private key serves as a secure form of authentication. This method offers a notable improvement over traditional username-password authentication. Drawing from my expertise, I concur with the author's claim that an encrypted key is a more resilient target than a username and password.
The process of SSH key generation is detailed in the article, and I'd like to highlight its two variations: one without a password and the other with password protection. Generating a key without a password provides convenience, eliminating the need to enter a password during authentication. On the other hand, password-protecting the private key enhances security, akin to a two-factor authentication mechanism.
I endorse the warning provided in the article regarding SSH key pair generation. Failing to specify a unique file name may lead to overwriting existing key files, necessitating the replacement of old public keys on all SSH servers that possess the outdated key.
The article underscores the importance of sharing public keys with remote machines for SSH key-based authentication to work. I fully support the use of the ssh-copy-id
command, a practical approach to copying public keys to destination systems. This aligns with my own practices in securely configuring SSH access for remote servers.
In conclusion, the advantages of SSH key-based authentication are evident and align with best practices in enhancing security. The article appropriately emphasizes the balance between availability and security, recognizing that each environment may necessitate a tailored approach. My extensive expertise reinforces the value of SSH key-based authentication as a fundamental aspect of secure and efficient remote system administration.