vault backup: 2023-08-26 11:35:12
This commit is contained in:
zleyyij
59
IT/Setting up SSH keys.md
Normal file
59
IT/Setting up SSH keys.md
Normal file
@ -0,0 +1,59 @@
|
||||
#documentation
|
||||
## Terms
|
||||
The following terms should be standardized across the document.
|
||||
#### Client
|
||||
- The user side local computer that connects *to* a remote host, typically a server.
|
||||
- This side has the **private key**, which you should keep secure
|
||||
- The private key decrypts data
|
||||
#### Server
|
||||
- The remote computer that the client connects to.
|
||||
- This side has the **public key**, which doesn't need to be secure
|
||||
- The public key encrypts data
|
||||
|
||||
## SSH Keypairs
|
||||
SSH keypair authentication relies on asymmetrical encryption, and is only used for authentication. Once they exchange the needed info, they use the Diffie-Hellman Key Exchange Algorithm to create a symmetrical key(can decrypt and encrypt). This is used to encrypt the rest of the session.
|
||||
|
||||
|
||||
## Setup
|
||||
1. Generate an SSH keypair from the *client* with:
|
||||
```
|
||||
ssh-keygen -t ed25519
|
||||
```
|
||||
- Note: while ed25519 encryption is much more secure than rsa4096, it's not universally supported. When using older versions of OpenSSH, generate a key with `ssh-keygen -t rsa -b 4096` to generate an rsa4096 keypair. This should be compatible with almost every implementation of SSH.
|
||||
2. Follow the prompts onscreen:
|
||||
- You will be asked where to save the key, the default location is typically correct(`~/.ssh/KEYNAME`) where `KEYNAME` is the name of your keypair.
|
||||
- You will then be prompted for a password. This password is used alongside the keypair, and is optional(leave blank if you want passwordless login)
|
||||
3. Copying the public key to the server
|
||||
- There should now be two files in `~/.ssh` with the format `id_ENCRYPTIONMETHOD` and `id_ENCRYPTIONMETHOD.pub` (EG: `id_ed25519` and `id_ed25519.pub`)
|
||||
```
|
||||
ssh-copy-id USERNAME@SERVERADDRESS
|
||||
```
|
||||
- EG: `ssh-copy-id foo@192.168.0.10`
|
||||
- Restart the SSH daemon, and test for functionality
|
||||
|
||||
If you're unable to use `ssh-copy-id`, append the contents of your `pubkey` file to `~/.ssh/authorized_keys`, you may need to create the file if if one is not there.
|
||||
## Further Configuration
|
||||
|
||||
### Disabling password based login
|
||||
1. Edit `/etc/ssh/sshd_config` to have an uncommented line that says:
|
||||
```
|
||||
PasswordAuthenntication no
|
||||
```
|
||||
- This will prevent clients from logging on with a password entirely, unless the SSH key was configured with a passcode.
|
||||
- Reload the SSH daemon.
|
||||
|
||||
### Storing keys on github
|
||||
1. See https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account about adding keys, access public keys at `https://github.com/USERNAME.keys`
|
||||
- You can then add public keys to your server with `curl https://github.com/USERNAME.keys | tee -a ~/.ssh/authorized_keys`
|
||||
- A similar method should exist across most git clients.
|
||||
---
|
||||
|
||||
|
||||
## Further Reading
|
||||
- https://www.hostinger.com/tutorials/ssh
|
||||
- https://www.hostinger.com/tutorials/ssh-tutorial-how-does-ssh-work
|
||||
- https://www.digitalocean.com/community/tutorials/ssh-essentials-working-with-ssh-servers-clients-and-keys
|
||||
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user