Generating and Using RSA SSH keys

2009-05-20

Category: Linux

The Problem

Passwords are insecure. Unless you lock out accounts with something like fail2ban, then ssh accounts can and will be bruteforced by malicious attackers. Changing the port from 22 can help, but better still is not using passwords to secure ssh logins. Public key cryptography is the answer.

In this article, I explain how to get up and running with RSA keys in Linux.

The Solution

Why not a password?

Put simply, a password alone is insecure. An unknown attacker, once he has your password he is in. Key-based authentication requires they in addition to your passphrase (if you use one (which I recommend for mobile use)) must also have a copy of they private key. This makes it multi-factor authentication

Multifactor authentication uses one or more of the following.

Something you know (eg. a password.)
Something you have (eg. a usb drive with your private key on it.)
Something you are (This is where biometrics can enter the picture.)

Traditional password only authentication is 'single-factor authentication'. 'Multi-factor authentication' takes one (or more) authentication options from each category to increase the level of security. Having two authentication checks from a single category isn't really much more secure than a single check from the same category.

What is a key?

Put simply, a key pair (or key if you only mean one half of the pair) is a pair of long numbers that are used for public key cryptography.

Public key cryptography relies on the property of certain mathematical functions so that if

 plaintext -> public key = cyphertext
but,
cyphertext -> public key wont work.

The process is one-way with each key. To decode we need to use the second key, then private key.

cyphertext -> private key = plaintext

The choice of which key is which is fairly arbitrary, since at creation generally the keys are created equal and only the fact that we label them differently and use them for different purposes is the only real differentiating factor between them.

If cryptography interests you then I can not fail to recommend Bruce Schneier's Applied Cryptography as a starting point.

Generating the keys

Generating the key isn't difficult.


[root@server1 ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): test_key
Enter passphrase (empty for no passphrase): my passphrase
Enter same passphrase again: my passphrase
Your identification has been saved in test_key.
Your public key has been saved in test_key.pub.
The key fingerprint is:
54:ae:59:31:8c:fc:64:a2:70:4a:03:21:6d:39:66:82 root@xen1
[root@server1 ~]#

I recommend using a passphrase to secure the key unless you are pretty sure you know what you are doing. Since without a passphrase the owner of the private half of the key is able to login to any server you install the public key to without any passwords.

Installing the keys on a server

Installing the keys to the server is fairly easy.


[root@xen1 ~]# scp test_key.pub root@192.168.20.133:/root/
root@192.168.20.133's password: password
test_key.pub                                  100%  391     0.4KB/s   00:00
[root@xen1 ~]# ssh root@192.168.20.133
root@192.168.20.133's password: password

Linux debian 2.6.26-2-686 #1 SMP Mon May 11 19:00:59 UTC 2009 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.

debian:~# cat test_key.pub >> ~/.ssh/authorized_keys
-bash: /root/.ssh/authorized_keys: No such file or directory
debian:~# ls -l
total 4
-rw-r--r-- 1 root root 391 2009-05-20 17:47 test_key.pub
debian:~# mkdir .ssh
debian:~# chmod 700 .ssh
debian:~# cat test_key.pub >> ~/.ssh/authorized_keys

This was a virgin debian system and the .ssh directory didn't exist, because of this we failed to copy our key into the required file initially.

The key is only installed for a single user, if you want to be able to login with multiple users with a key you need to install it for each user.

Testing and using the keys

Testing and using the key is very simple


[root@xen1 ~]# ssh -i test_key root@192.168.20.133
Linux debian 2.6.26-2-686 #1 SMP Mon May 11 19:00:59 UTC 2009 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed May 20 17:48:15 2009 from xen1.local
debian:~#

If there was a passphrase on this key, you would have been prompted for it as a second step before logging you in.

Without a passphrase you can do interesting things such as


[root@xen1 ~]# ssh -i test_key root@192.168.20.133 df -h
Filesystem            Size  Used Avail Use% Mounted on
/dev/mapper/VolGroup00-lennyroot
                       19G  3.1G   16G  17% /
tmpfs                 245M     0  245M   0% /lib/init/rw
udev                   10M  148K  9.9M   2% /dev
tmpfs                 245M     0  245M   0% /dev/shm
/dev/md0               99M   23M   72M  24% /boot
192.168.20.250:/mnt/download
                      939G  932G  6.6G 100% /mnt/download
/dev/sdc1             2.0G  232M  1.7G  12% /media/EXTERNAL
[root@xen1 ~]#

Which has a lot of uses in scripts and automation

Pitfalls

The biggest potential issue with this method, is that if you lose your keys and there is no passphrase on them, then you have essentially handed your account to an unknown attacker. For this reason it is a good idea to secure the keys with a passphrase.