2.7 KiB
2.7 KiB
#documentation
Terms
The following terms should be standardized across the document.
Client
- The user side local computer that connects to a remote host, typically a server.
- This side has the private key, which you should keep secure
- The private key decrypts data
Server
- The remote computer that the client connects to.
- This side has the public key, which doesn't need to be secure
- The public key encrypts data
SSH Keypairs
SSH keypair authentication relies on asymmetrical encryption, and is only used for authentication. Once they exchange the needed info, they use the Diffie-Hellman Key Exchange Algorithm to create a symmetrical key(can decrypt and encrypt). This is used to encrypt the rest of the session.
Setup
- Generate an SSH keypair from the client with:
ssh-keygen -t ed25519
- Note: while ed25519 encryption is much more secure than rsa4096, it's not universally supported. When using older versions of OpenSSH, generate a key with
ssh-keygen -t rsa -b 4096
to generate an rsa4096 keypair. This should be compatible with almost every implementation of SSH.
- Follow the prompts onscreen:
- You will be asked where to save the key, the default location is typically correct(
~/.ssh/KEYNAME
) whereKEYNAME
is the name of your keypair. - You will then be prompted for a password. This password is used alongside the keypair, and is optional(leave blank if you want passwordless login)
- You will be asked where to save the key, the default location is typically correct(
- Copying the public key to the server
- There should now be two files in
~/.ssh
with the formatid_ENCRYPTIONMETHOD
andid_ENCRYPTIONMETHOD.pub
(EG:id_ed25519
andid_ed25519.pub
)
ssh-copy-id USERNAME@SERVERADDRESS
- EG:
ssh-copy-id foo@192.168.0.10
- Restart the SSH daemon, and test for functionality
Further Configuration
Disabling password based login
- Edit
/etc/ssh/sshd_config
to have an uncommented line that says:
PasswordAuthenntication no
- This will prevent clients from logging on with a password entirely, unless the SSH key was configured with a passcode.
- Reload the SSH daemon.
Storing keys on github
- See https://docs.github.com/en/authentication/connecting-to-github-with-ssh/adding-a-new-ssh-key-to-your-github-account about adding keys, access public keys at
https://github.com/USERNAME.keys
- You can then add public keys to your server with
curl https://github.com/USERNAME.keys | tee -a ~/.ssh/authorized_keys
- A similar method should exist across most git clients.
- You can then add public keys to your server with