SSH: Public Key Authentication


Password authentication is insecure:

  • Man-in-the-Middle (MITM) attacks

  • Brute force attacks to guess passwords

… and uncomfortable: have to type password over and over

  • Public key deployed to server

  • Private key remains local, in one’s personal locked safe ideally

Local Setup, Key Generation

On the client (your work machine, the machine you log in from),

  • Create SSH config directory - .ssh - in $HOME (if not already in place), and set permissions so nobody else can look into (we will store key material here):

    $ mkdir ~/.ssh
    $ chmod 700 ~/.ssh
  • Create key pair (by default id-rsa*) in ~/.ssh:

    $ cd ~/.ssh
    $ ssh-keygen -t rsa
    Generating public/private rsa key pair.

Key Pair?

  • ~/.ssh/

    Public key: deployed to remote machine

    • Send email (or otherwise transfer) to remote machine’s administrator

    • Ask them to set it up for you

    • ~/.ssh/id_rsa

    Private key; remains local - in your safe


    The private key is your secret, and must not be disclosed

    • Careful with your ~/.ssh

      • ~/.ssh is your private safe

      • The ssh program refuses to work if permissions are too wide

      • But: can you trust root?

    • Careful where you store backups!

      • Can you trust the cloud?

Remote Setup (Wearing The Remote Admin’s Hat)

  • Receive the user’s public key

  • In the user’s home directory, create a .ssh directory

    As opposed the situation on the user’s local machine, the permissions can be left open (there is no private key material there)

  • Append the user’s key to ~/.ssh/authorized_keys (a create the file if not yet inplace)

What Else?

  • Passphrase provides additional safeguard, should the private key get lost

  • Drawback: login becomes interactive again (although on a different level)

  • Omitting passphrase: answer prompt empty, twice

  • ssh-agent: managing passphrases

    • Remembers passphrase in memory, safely

    • ssh talks to agent when passphrase needed

  • Permissions of ~/.ssh - and contained files - are important. If permissions are too open (others could read credentials, other could write/modify), ssh will complain loudly and refuse to work.