laptopwiki:guides:os:linux:sshkeys

SSH keys

More detailed guide by Digital Ocean https://www.digitalocean.com/community/tutorials/how-to-configure-ssh-key-based-authentication-on-a-linux-server
You will have two keys (in a pair)

  • Public
    This one will be on the server you are logging to. If this one gets stolen it isn't that big of a deal.
  • Private
    This is the one that will live on your machine, be careful with it. This will allow you to log into any server that has public key from its pair.

Keep in mind you don't need a new pair for every server, you can use one pair for everything if you want (but if one gets compromised all of them do).

For SSH

Generate

You can do this on a Windows machine if you have open-ssh installed.

  1. Start generating key
 ssh-keygen
  1. Pick name for your private ssh key (default is id_rsa without any file extension)
  2. You can give it a password if you want, adds another layer of security.

Move private key to proper location

Linux: ~/.ssh 

 mv example ~/.ssh

Windows: C:\Users\username\.ssh

Copy public key to target server

Using scp 

 scp .\example.pub user@serverip:/home/user/.ssh

Add public key to authorized_keys

 cat /home/user/.ssh/example.pub > /home/user/.ssh/authorized_keys

Connect using your private key

By default open-ssh is looking for id_rsa file. If you haven't changed your key's name, you can use 

 ssh user@serverip

If you changed your key's name, you need to specify what key you want to use using the -i parameter 

 ssh user@serverip -i /path/to/example

This will work on Linux and Windows, but if you need to use Powershell (which translates some unix commands to Windows APIs, so ~ is your home directory, even on Windows) 

 ssh [email protected] -i ~\.ssh\example

Disable password login

Edit /etc/ssh/sshd_config 

 sudo nano /etc/ssh/sshd_config
  1. On line 57 find “#PasswordAuthentication Yes”
  2. Change Yes to No
  3. Remove # from the line
  4. Restart sshd service 
     sudo systemctl restart sshd

Optional

  1. Change ChallengeResponseAuthentication to No
  2. Change UsePAM to No
  3. Restart sshd service 
     sudo systemctl restart sshd

Now you must log in using your ssh key. Do not lose it.

For Filezilla (SFTP)

Filezilla can't to sftp connect using the open-ssh key, so we need to convert it to a PuTTY compatible format.

  1. Install PuTTY 
     winget install PuTTY.PuTTY

Convert key

  1. Run PuTTYgen
  2. In the Conversion tab use “Import Key”
  3. (Optional) You can remove the commend and add a password for the key
  4. In the top bar, open Key and Parameters for saving key files
  5. Select PPK Version 2 and Ok
  6. Click “Save Private Key”
  7. I recommend you name the file the same as the openssh one with .ppk, for example “example.ppk”

Load key

  1. Run Pageant (installed alongside PuTTY)
  2. Open it by double clicking it in the system tray
  3. Add key
  4. Sidenote: this isn't persistent. Your key will only be loaded until you quit Pageant.
    You can get around this by creating a full PuTTY profile, but that is for another guide

Log in using key

  1. Run FileZilla
  2. host 
     sftp://serverip
  3. username 
     username
  4. port 
     your SSH port (default is 22)
  5. password 
     keep empty even if Filezilla asks you again
  6. You should be logged in
  • laptopwiki/guides/os/linux/sshkeys.txt
  • Last modified: 29/06/2024 15:17
  • by 127.0.0.1