58 lines
2.7 KiB
Markdown
58 lines
2.7 KiB
Markdown
|
#documentation
|
||
|
## Terms
|
||
|
The following terms should be standardized across the document.
|
||
|
#### Client
|
||
|
- The user side local computer that connects *to* a remote host, typically a server.
|
||
|
- This side has the **private key**, which you should keep secure
|
||
|
- The private key decrypts data
|
||
|
#### Server
|
||
|
- The remote computer that the client connects to.
|
||
|
- This side has the **public key**, which doesn't need to be secure
|
||
|
- The public key encrypts data
|
||
|
|
||
|
## SSH Keypairs
|
||
|
SSH keypair authentication relies on asymmetrical encryption, and is only used for authentication. Once they exchange the needed info, they use the Diffie-Hellman Key Exchange Algorithm to create a symmetrical key(can decrypt and encrypt). This is used to encrypt the rest of the session.
|
||
|
|
||
|
|
||
|
## Setup
|
||
|
1. Generate an SSH keypair from the *client* with:
|
||
|
```
|
||
|
ssh-keygen -t ed25519
|
||
|
```
|
||
|
- Note: while ed25519 encryption is much more secure than rsa4096, it's not universally supported. When using older versions of OpenSSH, generate a key with `ssh-keygen -t rsa -b 4096` to generate an rsa4096 keypair. This should be compatible with almost every implementation of SSH.
|
||
|
2. Follow the prompts onscreen:
|
||
|
- You will be asked where to save the key, the default location is typically correct(`~/.ssh/KEYNAME`) where `KEYNAME` is the name of your keypair.
|
||
|
- You will then be prompted for a password. This password is used alongside the keypair, and is optional(leave blank if you want passwordless login)
|
||
|
3. Copying the public key to the server
|
||
|
- There should now be two files in `~/.ssh` with the format `id_ENCRYPTIONMETHOD` and `id_ENCRYPTIONMETHOD.pub` (EG: `id_ed25519` and `id_ed25519.pub`)
|
||
|
```
|
||
|
ssh-copy-id USERNAME@SERVERADDRESS
|
||
|
```
|
||
|
- EG: `ssh-copy-id foo@192.168.0.10`
|
||
|
- Restart the SSH daemon, and test for functionality
|
||
|
## Further Configuration
|
||
|
|
||
|
### Disabling password based login
|
||
|
1. Edit `/etc/ssh/sshd_config` to have an uncommented line that says:
|
||
|
```
|
||
|
PasswordAuthenntication no
|
||
|
```
|
||
|
- This will prevent clients from logging on with a password entirely, unless the SSH key was configured with a passcode.
|
||
|
- Reload the SSH daemon.
|
||
|
|
||
|
### Storing keys on github
|
||
|
1. See https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account about adding keys, access public keys at `https://github.com/USERNAME.keys`
|
||
|
- You can then add public keys to your server with `curl https://github.com/USERNAME.keys | tee -a ~/.ssh/authorized_keys`
|
||
|
- A similar method should exist across most git clients.
|
||
|
---
|
||
|
|
||
|
|
||
|
## Further Reading
|
||
|
- https://www.hostinger.com/tutorials/ssh
|
||
|
- https://www.hostinger.com/tutorials/ssh-tutorial-how-does-ssh-work
|
||
|
- https://www.digitalocean.com/community/tutorials/ssh-essentials-working-with-ssh-servers-clients-and-keys
|
||
|
|
||
|
|
||
|
|
||
|
|