#documentation ## Terms The following terms should be standardized across the document. #### Client - The user side local computer that connects *to* a remote host, typically a server. - This side has the **private key**, which you should keep secure - The private key decrypts data #### Server - The remote computer that the client connects to. - This side has the **public key**, which doesn't need to be secure - The public key encrypts data ## SSH Keypairs SSH keypair authentication relies on asymmetrical encryption, and is only used for authentication. Once they exchange the needed info, they use the Diffie-Hellman Key Exchange Algorithm to create a symmetrical key(can decrypt and encrypt). This is used to encrypt the rest of the session. ## Setup 1. Generate an SSH keypair from the *client* with: ``` ssh-keygen -t ed25519 ``` - Note: while ed25519 encryption is much more secure than rsa4096, it's not universally supported. When using older versions of OpenSSH, generate a key with `ssh-keygen -t rsa -b 4096` to generate an rsa4096 keypair. This should be compatible with almost every implementation of SSH. 2. Follow the prompts onscreen: - You will be asked where to save the key, the default location is typically correct(`~/.ssh/KEYNAME`) where `KEYNAME` is the name of your keypair. - You will then be prompted for a password. This password is used alongside the keypair, and is optional(leave blank if you want passwordless login) 3. Copying the public key to the server - There should now be two files in `~/.ssh` with the format `id_ENCRYPTIONMETHOD` and `id_ENCRYPTIONMETHOD.pub` (EG: `id_ed25519` and `id_ed25519.pub`) ``` ssh-copy-id USERNAME@SERVERADDRESS ``` - EG: `ssh-copy-id foo@192.168.0.10` - Restart the SSH daemon, and test for functionality If you're unable to use `ssh-copy-id`, append the contents of your `pubkey` file to `~/.ssh/authorized_keys`, you may need to create the file if if one is not there. ## Further Configuration ### Disabling password based login 1. Edit `/etc/ssh/sshd_config` to have an uncommented line that says: ``` PasswordAuthenntication no ``` - This will prevent clients from logging on with a password entirely, unless the SSH key was configured with a passcode. - Reload the SSH daemon. ### Storing keys on github 1. See https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account about adding keys, access public keys at `https://github.com/USERNAME.keys` - You can then add public keys to your server with `curl https://github.com/USERNAME.keys | tee -a ~/.ssh/authorized_keys` - A similar method should exist across most git clients. --- ## Further Reading - https://www.hostinger.com/tutorials/ssh - https://www.hostinger.com/tutorials/ssh-tutorial-how-does-ssh-work - https://www.digitalocean.com/community/tutorials/ssh-essentials-working-with-ssh-servers-clients-and-keys