The SSH (Secure Shell) protocol allows an ability to remotely, and securely, access hosts.
SSH has various options for authenticating to a host including — password authentication, public-key authentication, and host-based authentication.
Before we get into all of that, let’s generate an SSH keypair.
Generating an SSH Keypair
Most Linux OS’s have a built-in command, ssh-keygen
that can be used to create a public and private key that can be used for SSH authentication.
The command is so simple that you can run it without any options and it’ll create a basic SSH keypair using RSA encryption.
ssh-keygen
The same SSH keypair could be generated using the option below.
ssh-keygen -t rsa
You’ll be prompted to provide a save location. Once generated, two files will be created and saved to the location provided. The default naming is id_rsa
.
id_rsa
– This file contains the private key. Don’t ever share this!id_rsa.pub
– This file contains the public key.
Now that we’ve created our SSH keypair we need to get the local public key to the remote host, so let’s discuss authorization methods.
authorized_keys
Public key authentication is managed by the ~/.ssh/authorized_keys
file. It contains the public keys that are authorized for logging into a user account via SSH.
When a user attempts to log in using public key authentication, the host checks the public-key used against the public key’s listed in this file in order to verify authorization.
Each line represents a single public key, and the format of the authorized_keys
file is as follows:
ssh-[type] [public key][comment]
- [type]: the type of key
- [public key]: the actual public key
- [comment]: An optional comment.
Adding public keys to the authorized_keys
can be done by manually copying the local public key to the remote authorized_hosts
file. However, it’s recommended to use the ssh-copy-id
command, which is only available on Linux.
Here is an example of how to use the ssh-copy-id
command to copy a public key from your local host to a remote host.
$ ssh-copy-id username@remote_host
Alternatively, you can use the following command to copy the local public key to the remote host using cat
and the ssh
commands.
$ cat ~/.ssh/id_rsa.pub | ssh username@remote_host "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
known_hosts
Host-based authentication is managed by the ~/.ssh/known_hosts
(per-user) and /etc/ssh/known_hosts
(system-wide) file.
When a client connects via SSH for the first time, the server’s public key is exchanged with the client and saved in the known_hosts
file on the client’s system.
On each subsequent connection, the client verifies the server’s identity by verifying that the key contained in the known_hosts
file is the same. If the public key is different; the SSH connection will fail.
Each line in the known_hosts
file represents one public key or certificate. Each line will contain a hostname, or hash of the hostname, and public-key details.