SSH: Public Key Authentication¶

Why?¶

Password authentication is insecure:

… and uncomfortable: have to type password over and over

Create SSH config directory - .ssh - in $HOME (if not already in place), and set permissions so nobody else can look into (we will store key material here):
```
$ mkdir ~/.ssh
$ chmod 700 ~/.ssh
```

Create key pair (by default id-rsa*) in ~/.ssh:

$ cd ~/.ssh
$ ssh-keygen -t rsa
Generating public/private rsa key pair.
...

~/.ssh/id_rsa.pub

Public key: deployed to remote machine
- Send email (or otherwise transfer) to remote machine’s administrator
- Ask them to set it up for you
- ~/.ssh/id_rsa
Private key; remains local - in your safe
Danger

The private key is your secret, and must not be disclosed
- Careful with your ~/.ssh
  - ~/.ssh is your private safe
  - The ssh program refuses to work if permissions are too wide
  - But: can you trust root?
- Careful where you store backups!
  - Can you trust the cloud?

Receive the user’s public key
In the user’s home directory, create a .ssh directory

As opposed the situation on the user’s local machine, the permissions can be left open (there is no private key material there)
Append the user’s key to ~/.ssh/authorized_keys (a create the file if not yet inplace)

Passphrase provides additional safeguard, should the private key get lost
⟶ Drawback: login becomes interactive again (although on a different level)
Omitting passphrase: answer prompt empty, twice
ssh-agent: managing passphrases
- Remembers passphrase in memory, safely
- ssh talks to agent when passphrase needed
Permissions of ~/.ssh - and contained files - are important. If permissions are too open (others could read credentials, other could write/modify), ssh will complain loudly and refuse to work.