How To Work With SSH Keys
SSH (Secure Shell) Protocol works in Server-Client model. An encryption is used to secure the communication in between both the client and the server. SSH provides an alternate option to the password authentication mechanism. Once authenticated, administrators can easily manage the remote servers by issuing the commands similar to the way they could do by logging in locally into those servers/devices. Learning how to work with SSH Keys and extracting a useful information is a crucial task which each System Administrator must master.
In this article we will work with the SSH Keys. We will see that how can we generate SSH keys, Extract the useful information from private keys, what permissions are required for different SSH key files etc.
Generating SSH keys
Generating an ssh key pair means, creating a Public and Private key pair using a special algorithm such as RSA. After the successful creation, we usually get two files, a Private key which is often named as id_rsa by default and a Public key named as id_rsa.pub
Remember that a Public keys is meant for the public i.e. it should be distributed to the server (remote) to which you will connect, usually and it is usually registered in an authorized_keys file in the remote server. As the name suggests, Private Key is meant to be kept secret and should have minimum exposure.
You can generate the Key Pair using the following command. Additionally, -b option can also be supplied to tell the bits of the key. By default 2048 bit key is created.
[gsingh@dbora1 .ssh]$ ssh-keygen -t rsa -C "gurjap@dbora"
Generating public/private rsa key pair.
Enter file in which to save the key (/home/gsingh/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/gsingh/.ssh/id_rsa.
Your public key has been saved in /home/gsingh/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:nljU229Z9c1s0W2jAl0cVGgqzSuOP4Jlnc3cEYsBDms gurjap@dbora
The key's randomart image is:
+---[RSA 3072]----+
| . .. o++. |
| +....= o|
| E.o+.= oo=|
| .. ..B o.+*|
| S B.+.. B|
| * = =.o + |
| = = . + |
| . o o . |
| o.. |
+----[SHA256]-----+Permissions
It is very crucial that the correct permissions are assigned on each of the generated key pair along with the authorized_keys file. Often wrong permissions cause the SSH initial setup phase to be failed. Below are the permissions which needs to be set on Public Key, Private key and authorized_keys. .ssh directory which can be found in user’s home directory should have (rwx---) or 0700 permissions assigned.
[gsingh@dbora1 .ssh]$ stat -c "%a %n" *
600 authorized_keys
600 id_rsa
644 id_rsa.pubChanging the Comment
Comments are nothing but an identifier in the key which can tell something about the key. Something, such as who does this key belong to or any information in general which can help to identify the purpose of this key.
We can add a comment in the Key during the creation of the key as shown in the beginning of the article or it can be modified later with following command.
[gsingh@dbora1 .ssh]$ ssh-keygen -cC "updated@dbora" -f id_rsa
Key now has comment 'gurjap@dbora'
The comment in your key file has been changed.
[gsingh@dbora1 .ssh]$ cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDGsj....suumYZe/482ay45FwuOqwQ3nGrST5383msd7eHx/9VI2nFD7BDUEhi/S/NrZnIQp/14O/qhoJV3...Viewing the fingerprints of the Public Key
Fingerprints of the key can help you to identify the hashed value of the key and it’s comment. Comment obtained from the fingerprint output can become handy if you had to extract the public key from a private key.
[gsingh@dbora1 .ssh]$ ssh-keygen -l -f id_rsa.pub
3072 SHA256:nljU229Z9c1s0W2jAl0cVGgqzSuOP4Jlnc3cEYsBDms updated@dbora (RSA)Reading the Public Key
Read a private OpenSSH format file and print an OpenSSH public key to stdout
[gsingh@dbora1 .ssh]$ ssh-keygen -y -f id_rsa
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQ...GeMM66UQVExORsuumYZe/482ay45FwuOqwQ3nGrST5383msd7eHx/9VI2nFD7BDUEhi/S/NrZnIQp/14O/qhoJV3ILHs/zxCQzs0Joo5i2g81FV8wuphIjeZ+RoP1KkcBVJSS3kVS5SH97KMhuPBjdlTvnxTSHk7c3JdSVyZxyS+ynnlXmCeFC+exI+GeMcc/MPZCEWUOFcFQLvBIgjo0pw3nw83W8Q/FSEkAfk5/0xeA3QQTXvD/kInv5ZYaEPEatN4A6mf3xEcA/MdHuLB/EwcQP6+/TKgwC2x1/HlvfFaBeeFz13sbRvtzateCVlmPQ9WOsLLQ6Yfb8WmNCSf//2u/mUB2vupEJDBvaNPq6CHdBSTGVE2MoCHqfv32b7qRfJyso47nD0gpn2NArtbT6nvQ6I5uL7RcmLREk4RLD8EjegdRvjx3qzDwUVsHMfSJmNAAgRxO28z7tdUSMOJqKBE7x+Qm/qCflJ4m8pIoT4cI3l5Fk+U=Extracting the Public Key in specific format
Read a private or public OpenSSH key file and print to stdout a public key in one of the formats specified by the -m option
Available -m options are
- “PEM”
- “RFC4716”
- “PKCS8”
[gsingh@dbora1 .ssh]$ ssh-keygen -e -m "PEM" -f id_rsa
-----BEGIN RSA PUBLIC KEY-----
MIIBigKCAYEAxrI24eQNyddgBnjDOulEFRMTkbLrpmGXv+PNmsuORcLjqsEN5xq0
k+d/N5rHe3h8f/VSNpxQ+wQ1BIYv0vza2ZyEKf9eDv6oaCVdyCx7P88QkM7NCaKO
YtoPNRVfMLqYSI3mfkaD9SpHAVSUkt5FUuUh/eyjIbjwY3ZU758U0h5O3NyXUlcm
cckvsp55V5gnhQvnsSPhnjHHPzD2QhFlDhXBUC7wSII6NKcN58PN1vEPxUhJAH5O
f9MXgN0EE17w/5CJ7+WWGhDxGrTeAOpn98RHAPzHR7iwfxMHED+vv0yoMAtsdfx5
b3xWgXnhc9d7G0b7c2rXglZZj0PVjrCy0OmH2/FpjQkn//9rv5lAdr7qRCQwb2jT
6ugh3QUkxlRNjKAh6n799m+6kXycrKOO5w9IKZ9jQK7W0+p70OiObi+0XJi0RJOE
Sw/BI3oHUb48d6sw8FFbBzH0iZjQAIEcTtvM+7XVEjDiaigRO8fkJv6gn5SeJvKS
KE+HCN5eRZPlAgMBAAE=
-----END RSA PUBLIC KEY-----Passphrase a key
You can supply a new passphrase or remove the existing passphrase from a key pair by issuing a command shown in below.
[gsingh@dbora1 .ssh]$ ssh-keygen -p -f id_rsa
Key has comment 'updated@dbora'
Enter new passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved with the new passphrase.Re-issue the above command to remove the passphrase. Old passphrase will be required.
There are other number of parameters available which can be supplied in the ssh-keygen command line. Make sure to check out the man pages.
