Difference between revisions of "Ssh keys"
| Line 3: | Line 3: | ||
== Why should I use it?== | == Why should I use it?== | ||
When you connect to a server, authenticating via a password there are two main problems: | When you connect to a server, authenticating via a password there are two main problems: | ||
| + | * Someone could bruteforce or guess the password, since many passwords are commonly weak, hard to remember or used for multiple applications and then cracked/leaked. | ||
* Someone could intercept/crack your password, since it has to be send to the server at some point in some form. | * Someone could intercept/crack your password, since it has to be send to the server at some point in some form. | ||
| − | |||
== How-to-use-it == | == How-to-use-it == | ||
| Line 23: | Line 23: | ||
$ vim ~/.ssh/authorized_keys | $ vim ~/.ssh/authorized_keys | ||
| − | The next time you [[ssh]] to the server, it should use the key and instead of prompting the | + | The next time you [[ssh]] to the server, it should use the key and instead of prompting the pass'''word''' for the server, prompt for the pass'''phrase''' of the key, if you chose to employ one. |
| + | |||
| + | |||
| + | == How-it-works == | ||
| + | The basic principle is that of public and private keys. A public key is like an indestructible piggy bank: Everybody can put something (data) into it and nobody can get it back out again. A private key is the key for this. In this way you can distribute all the piggy banks you like and if someone put something in there and sends it back, only you can open it with your private key. | ||
| + | |||
| + | |||
| + | An [[ssh]] connection is encrypted with a symmetric encryption using a single-use sessesion key, negotiated with a Diffie-Hellman exchange. Once the connection is established, the server prompts for authentication of the client (you). Instead of transmitting a hash of your password, your program now tells the server, it wants to use the key. The server then uses the public key, you gave it, to encrypt a random number and you can then decrypt that with your private key. You send the number back and the server knows, you are in posession of the private key and grants you the corresponding privileges. | ||
| + | |||
| + | |||
| + | == References == | ||
| + | [https://wiki.archlinux.de/title/SSH-Authentifizierung_mit_Schl%C3%BCsselpaaren SSH keys on the archlinux wiki] | ||
| + | [https://medium.com/@vrypan/explaining-public-key-cryptography-to-non-geeks-f0994b3c2d5 Public and private keys easily explained] | ||
| − | + | [https://www.digitalocean.com/community/tutorials/understanding-the-ssh-encryption-and-connection-process More detailed explanation of the connection and encryption process of ssh] | |
Revision as of 16:39, 5 April 2018
An ssh key is a way of identifying (authenticating) yourself when connecting to a server per ssh. A different popular authentication method is via a password.
Why should I use it?
When you connect to a server, authenticating via a password there are two main problems:
- Someone could bruteforce or guess the password, since many passwords are commonly weak, hard to remember or used for multiple applications and then cracked/leaked.
- Someone could intercept/crack your password, since it has to be send to the server at some point in some form.
How-to-use-it
You should start by generating a key pair:
$ ssh-keygen -b 4096
where you can specify the max length of the key up to 16384 bits.
You can then optionally protect your key with a passphrase. (Your key is basically just a file sitting on your computer and a passphrase protects your key, if someone happens to steal/copy that file).
If you did not specify a different file, the key normaly gets generated into the folder
~/.ssh
with the files id_rsa being your private and id_rsa.pub being your public key.
This public key now has to be copied to the server to the
~/.ssh/authorized_keys
file. This can be done, by opening an ssh connection via password and then using an editor (e.g. vim) to paste the key into the file (creating the .ssh directory if it does not exist):
$ mkdir ~/.ssh $ vim ~/.ssh/authorized_keys
The next time you ssh to the server, it should use the key and instead of prompting the password for the server, prompt for the passphrase of the key, if you chose to employ one.
How-it-works
The basic principle is that of public and private keys. A public key is like an indestructible piggy bank: Everybody can put something (data) into it and nobody can get it back out again. A private key is the key for this. In this way you can distribute all the piggy banks you like and if someone put something in there and sends it back, only you can open it with your private key.
An ssh connection is encrypted with a symmetric encryption using a single-use sessesion key, negotiated with a Diffie-Hellman exchange. Once the connection is established, the server prompts for authentication of the client (you). Instead of transmitting a hash of your password, your program now tells the server, it wants to use the key. The server then uses the public key, you gave it, to encrypt a random number and you can then decrypt that with your private key. You send the number back and the server knows, you are in posession of the private key and grants you the corresponding privileges.
References
SSH keys on the archlinux wiki
Public and private keys easily explained
More detailed explanation of the connection and encryption process of ssh