A Guide to Public Key Authentication Using SSH
The SSH (Secure Shell) protocol allows an ability to remotely, and securely, access hosts.
SSH has various options for authenticating to a host including — password authentication, public-key authentication, and host-based authentication.
Before we get into all of that, let’s generate an SSH keypair.
Generating an SSH Keypair
Most Linux OS’s have a built-in command, ssh-keygen that can be used to create a public and private key that can be used for SSH authentication.
The command is so simple that you can run it without any options and you\’ll create a basic SSH keypair using RSA encryption.
ssh-keygenThe same SSH keypair could be generated using the option below.
ssh-keygen -t rsaYou\’ll be prompted to provide a save location. Once generated, two files will be created. The default naming is id_rsa.
id_rsa– This file contains the private key. Don\’t ever share this!id_rsa.pub– This file contains the public key.
Now that we\’ve created our SSH keypair we need to get the local public key to the remote host, so let\’s discuss authorization methods.
authorized_keys
Public key authentication is managed by the ~/.ssh/authorized_keys file. It contains the public keys that are authorized for logging into a user account via SSH.
When a user attempts to log in using public key authentication, the host checks the public-key used against the public key provided in this file in order to verify authorization.
Each line represents a single public key, and the format of the authorized_keys file is as follows:
ssh-[type] [public key][comment]- [type]: the type of key
- [public key]: the actual public key
- [comment]: An optional comment.
Adding public keys to the authorized_keys can be done by manually copying the local public key to the remote authorized_hosts file. However, it’s recommended to use the ssh-copy-id command, which is only available on Linux.
Here is an example of how to use the ssh-copy-id command to copy a public key from your local host to a remote host.
$ ssh-copy-id username@remote_hostAlternatively, you can use the following command to copy the local public key to the remote host using cat and the ssh commands.
$ cat ~/.ssh/id_rsa.pub | ssh username@remote_host "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"known_hosts
Host-based authentication is managed by the ~/.ssh/known_hosts (pre-user) and /etc/ssh/known_hosts (system-wide) file.
When a client connects via SSH for the first time, the servers\’s public key is exchanged with the client and saved in the known_hosts file on the client\’s system.
On each subsequent connection, the client verifies the server\’s identity by verifying that the key contained in the known_hosts file is the same. If the public key is different; the SSH connection will fail.
Each line in the known_hosts file represents one public key or certificate. Each line will contain a hostname, or hash of the hostname, and public-key details.