Tutorial on SSH keys and Their Permissions in Unix

Rahul / Linux / 0 Comments and 1 Reaction

Tutorial on SSH keys and Their Permissions in Unix.The conventional protocols (telnet, ftp, rlogin, X) used to connection computers on the Internet are insecure.For example, if you use telnet, your password may be “sniffed” by an intruder on any network between the client and server.A new version of sshwas created (ssh2). This has a more restrictive license, so most places only use the original version (ssh1), and today we will talk about ssh1 keys.

1) Run ssh-keygen as follows  $ ssh-keygen ,   Enter file in which to save the key (~/.ssh/identity): [RETURN] ,   Enter passphrase: [ENTER A GOOD PASS PHRASE TO PROTECT THE PRIVATE KEY]  ,   Enter the same passphrase again: [DITTO] , This creates a private and public key pair in ~/.ssh/identity and ,~/.ssh/identity.pub. The first file is protected by (a) Unix permissions,and (b) your pass phrase. The second file only needs to be protected.against writing by anyone except you.

NAME :ssh-keygen - authentication key generation, management and conversion

SYNOPSIS

ssh-keygen [-q ] [-b bits ] -t type [-N new_passphrase ] [-C comment ] [-f output_keyfile ]

ssh-keygen -p [-P old_passphrase ] [-N new_passphrase ] [-f keyfile ] ssh-keygen -i [-f input_keyfile ] ssh-keygen -e [-f input_keyfile ] ssh-keygen -y [-f input_keyfile ] ssh-keygen -c [-P passphrase ] [-C comment ] [-f keyfile ] ssh-keygen -l [-f input_keyfile ] ssh-keygen -B [-f input_keyfile ] ssh-keygen -D reader
ssh-keygen -U reader [-f input_keyfile ]

Normally this program generates the key and asks for a file in which to store the private key. The public key is stored in a file with the same name but “.pub” appended. The program also asks for a passphrase. The passphrase may be empty to indicate no passphrase (host keys must have an empty passphrase), or it may be a string of arbitrary length. A passphrase is similar to a password, except it can be a phrase with a series of words, punctuation, numbers, whitespace, or any string of characters you want. Good passphrases are 10-30 characters long, are not simple sentences or otherwise easily guessable (English prose has only 1-2 bits of entropy per character, and provides very bad passphrases), and contain a mix of upper and lowercase letters, numbers, and non-alphanumeric characters. The passphrase can be changed later by using the -p option.

mkdir ~/.ssh chmod 700 ~/.ssh ssh-keygen -t rsa

You will be prompted for a location to save the keys, and a passphrase for the keys. This passphrase will protect your private key while it’s stored on the hard drive and be required to use the keys every time you need to login to a key-based system:

Generating public/private rsa key pair. Enter file in which to save the key (/home/b/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/b/.ssh/id_rsa. Your public key has been saved in /home/b/.ssh/id_rsa.pub.

Your public key is now available as .ssh/id_rsa.pub in your home folder.Permission problems with SSH

ssh is very picky about permissions on the ~/.ssh directory and files. Sometimes you may do something to mess up these permissions. Run the following to fix most permissions problems. You may have to do this on both the remote host and local host.

chmod 700 ~/.ssh

chmod 600 ~/.ssh/id_rsa

chmod 644 ~/.ssh/id_rsa.pub

chmod 644 ~/.ssh/authorized_keys

chmod 644 ~/.ssh/known_hosts

Also no directory above ~/.ssh can have ‘group’ or ‘other’ write permissions.Note : If  you give permissions greater than these you will get errors like “too much permissions”.