notes/Setting up SSH keys.md

2.9 KiB

#documentation

Terms

The following terms should be standardized across the document.

Client

  • The user side local computer that connects to a remote host, typically a server.
  • This side has the private key, which you should keep secure
  • The private key decrypts data

Server

  • The remote computer that the client connects to.
  • This side has the public key, which doesn't need to be secure
  • The public key encrypts data

SSH Keypairs

SSH keypair authentication relies on asymmetrical encryption, and is only used for authentication. Once they exchange the needed info, they use the Diffie-Hellman Key Exchange Algorithm to create a symmetrical key(can decrypt and encrypt). This is used to encrypt the rest of the session.

Setup

  1. Generate an SSH keypair from the client with:
    ssh-keygen -t ed25519
    
  • Note: while ed25519 encryption is much more secure than rsa4096, it's not universally supported. When using older versions of OpenSSH, generate a key with ssh-keygen -t rsa -b 4096 to generate an rsa4096 keypair. This should be compatible with almost every implementation of SSH.
  1. Follow the prompts onscreen:
    • You will be asked where to save the key, the default location is typically correct(~/.ssh/KEYNAME) where KEYNAME is the name of your keypair.
    • You will then be prompted for a password. This password is used alongside the keypair, and is optional(leave blank if you want passwordless login)
  2. Copying the public key to the server
  • There should now be two files in ~/.ssh with the format id_ENCRYPTIONMETHOD and id_ENCRYPTIONMETHOD.pub (EG: id_ed25519 and id_ed25519.pub)
ssh-copy-id USERNAME@SERVERADDRESS
  • EG: ssh-copy-id foo@192.168.0.10
  • Restart the SSH daemon, and test for functionality

If you're unable to use ssh-copy-id, append the contents of your pubkey file to ~/.ssh/authorized_keys, you may need to create the file if if one is not there.

Further Configuration

Disabling password based login

  1. Edit /etc/ssh/sshd_config to have an uncommented line that says:
   PasswordAuthenntication no
  • This will prevent clients from logging on with a password entirely, unless the SSH key was configured with a passcode.
  • Reload the SSH daemon.

Storing keys on github

  1. See https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account about adding keys, access public keys at https://github.com/USERNAME.keys
    • You can then add public keys to your server with curl https://github.com/USERNAME.keys | tee -a ~/.ssh/authorized_keys
    • A similar method should exist across most git clients.

Further Reading