notes/Setting up SSH keys.md
2022-10-23 14:32:43 -06:00

58 lines
2.7 KiB
Markdown

#documentation
## Terms
The following terms should be standardized across the document.
#### Client
- The user side local computer that connects *to* a remote host, typically a server.
- This side has the **private key**, which you should keep secure
- The private key decrypts data
#### Server
- The remote computer that the client connects to.
- This side has the **public key**, which doesn't need to be secure
- The public key encrypts data
## SSH Keypairs
SSH keypair authentication relies on asymmetrical encryption, and is only used for authentication. Once they exchange the needed info, they use the Diffie-Hellman Key Exchange Algorithm to create a symmetrical key(can decrypt and encrypt). This is used to encrypt the rest of the session.
## Setup
1. Generate an SSH keypair from the *client* with:
```
ssh-keygen -t ed25519
```
- Note: while ed25519 encryption is much more secure than rsa4096, it's not universally supported. When using older versions of OpenSSH, generate a key with `ssh-keygen -t rsa -b 4096` to generate an rsa4096 keypair. This should be compatible with almost every implementation of SSH.
2. Follow the prompts onscreen:
- You will be asked where to save the key, the default location is typically correct(`~/.ssh/KEYNAME`) where `KEYNAME` is the name of your keypair.
- You will then be prompted for a password. This password is used alongside the keypair, and is optional(leave blank if you want passwordless login)
3. Copying the public key to the server
- There should now be two files in `~/.ssh` with the format `id_ENCRYPTIONMETHOD` and `id_ENCRYPTIONMETHOD.pub` (EG: `id_ed25519` and `id_ed25519.pub`)
```
ssh-copy-id USERNAME@SERVERADDRESS
```
- EG: `ssh-copy-id foo@192.168.0.10`
- Restart the SSH daemon, and test for functionality
## Further Configuration
### Disabling password based login
1. Edit `/etc/ssh/sshd_config` to have an uncommented line that says:
```
PasswordAuthenntication no
```
- This will prevent clients from logging on with a password entirely, unless the SSH key was configured with a passcode.
- Reload the SSH daemon.
### Storing keys on github
1. See https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account about adding keys, access public keys at `https://github.com/USERNAME.keys`
- You can then add public keys to your server with `curl https://github.com/USERNAME.keys | tee -a ~/.ssh/authorized_keys`
- A similar method should exist across most git clients.
---
## Further Reading
- https://www.hostinger.com/tutorials/ssh
- https://www.hostinger.com/tutorials/ssh-tutorial-how-does-ssh-work
- https://www.digitalocean.com/community/tutorials/ssh-essentials-working-with-ssh-servers-clients-and-keys