Posts Tagged “ssh-keygen”

SSH keys are the most effective way to securely shell into your server. In this article we are going to cover creating a SSH key pair. There are a plethora of articles on the net the cover this subject. I suggest reading two or three of them to help understand the process. Creating a SSH key pair is very easy in itself.

Instructions on creating SSH Key pairs are fairly general, so I will explain how I configured the keys for a server.

1. Create the user account on the server and create the same user on the remote system you want to SSH from.

2. On the remote system switch to the user you just created

# su – USERNAME

3. Create the SSH Key pair. You can do this from any directory. Unless otherwise stated, it will default to the /etc/USERNAME/.ssh directory. The are discussions on the differences between RSA keys and DSA keys. They are about the same when it comes to protection, but I like to use DSA keys. RSA is the default so you have to specify DSA if you want to use it.

$ ssh-keygen -t dsa

You will get output such as the following. Some people choose not to use a password, this allows you to ssh into the server without a password, but if someone gets a hold of your ssh key, they can log in to your server without challenge. I suggest using a password, you won’t know any difference than if you used a regular password login.

[vinsane@8bitpipe ~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/vinsane/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/vinsane/.ssh/id_dsa.
Your public key has been saved in /home/vinsane/.ssh/id_dsa.pub.
The key fingerprint is:
89:15:93:b8:e5:3e:6e:c8:55:8d:32:d9:8a:d8:87:20 vinsane@8bitpipe.com

4. Copy the public key to the server and rename the public key to authorized_keys in the users .ssh directory.

5. On the local machine change the permissions of the private key to 600; it should be located in the /home/USERNAME/.ssh/ Directory. I’ve found that if you don’t have the home directory for the user open for others to view it, you do not have to do this. The system should tell you if the key is not secure.

And there you have it. A more secure login. You can also go into the servers sshd.conf file and disable password logins, but you will need to bring your key with you if you want to login from other computers. I would suggest a small encrypted usb key used only for you ssh key. Keep it on your key chain in the event you need to login to your server when you are out and about and can’t get back to your main system.

Further reading:

Comments No Comments »