SSH key

From Verity

Jump to: navigation, search

This page tells how to create an SSH keyring and use it for authentication instead of a password.

[edit]

Key Creation

To get an SSH keyring, follow these instructions or ask the IT department to do it for you.

1. Open SecureCRT and choose Tools > Create Public Key...

Image:Key-1create.png

2. When asked for key type, choose DSA.

Image:Key-2DSA.png

3. Create a passphrase out of numbers, symbols, and capital and lowercase letters. You will be asked for this passphrase whenever you use this key. This password is not easily recovered, so write it down in your wallet. Then write your name and today's date in the Comment box.

Image:Key-3info.png

4. Set key length to 1024 bits. (Why?)

Image:Key-4length.png

5. The program will ask you to make some entropy, then it will generate the key.

6. Make sure the key will be saved in OpenSSH format. Put it in a safe place that you will remember.

Image:Key-5output.png

Now two files have been saved in the path you configured. They have the same name except that one ends with .pub. The .pub file is your public key, and the other one is your private key. Do not give anyone the private file. The .pub file can be distributed freely.

7. SecureCRT will ask whether it should use the new key. Say yes.

Image:Key-6makeDefault.png

8. Last, the SSH servers need to be given your public key, so they know what to expect. This is done by adding the contents of your public key to the following file on the server: 

~/.ssh/authorized_keys

For example, use the vim editor to paste the contents of your public key into that file. Then set the .ssh folder's permissions, or the server will refuse to read them: 

chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

You may wish to e-mail your public key to the IT manager's assistant to have it installed wherever you need access to.

Never give out your private key.

[edit]

Explanation

An encryption keyring has a public and private key. The public key encrypts data, producing messages that only the private key can decrypt. When connecting, the SSH client usually sends your public key so that the server can encrypt the data for you.

But these keys are also useful for authenticating without needing a password. If the server already has a copy of your public key, then you can prove your identity by being able to decrypt the data it produces -- this shows that you have the corresponding private key. The

No passwords are sent across the network, and an attacker would need to know the contents of your private key (which is much longer than a password). We can improve security by requiring a key, not a password, for authentication.

This means the private key must be kept in a safe place. For extra security, the private key will be protected by a password.

Retrieved from "http://www2.irss.unc.edu/index.php/SSH_key"