basically my computer bug down earlier and can no longer retrieve my files from my SSD HD.
i have my id_rsa.pub with me since I emailed this to our support team before for me to access the servers.
now I execute this command "ssh-keygen -t rsa" to my computer to generate new pub key.
upon checking the file is inside .ssh and i just replace the id_rsa.pub with the file i have on my email and leave id_rsa as it is.
trying out to access the server but always give me an error "Permission denied (publickey)."
it could be because of id_rsa which is still the latest.
any way i could replace the value based on the pubkey i have?
thanks.
Simply put, no.
The big idea behind public key cryptography is that the private key (in this case, id_rsa) is always hidden and secure, and only one person (or computer) has access to it. The public key (id_rsa.pub) provides just enough information that it is safe for anyone in the world to have access to it. If you could retrieve the original private key from the public key, then your private key would not be secure1.
The new keypair that you generated is totally distinct from your old one. Whatever server you are trying to ssh into is expecting to see the request signed with your old private key. Since you don't have access to it anymore, you can't sign the request with the correct key, and the server is rejecting your ssh attempt with a public key error.
So, basically, because you lost access to your private key, you can no longer ssh using that keypair.
Your administrative team will need to put your new public key onto the server so that you can ssh using the new key.
1 Note: It is theoretically possible to generate a private key that would match an existing public key, but this process is computationally intractable. Digicert estimates that this would take 6.4 quadrillion years for a 2048-bit RSA key.
normally you have a private part of a rsa key and a public one. You spread the public key out to the internet. Now you can sign with the private key you packages or data, and everyone how knows you public key can check if this data or package is from you. So it's possible to generate a public key from a private, but i is impossible to generate a private key out of a public key in a acceptable time. So you need to generate a new one on you computer and need to put the new generated public key on your server, and you will have access again.
Related
Does anybody have an idea how can I use an ssh private key in a script to scp some files from a server using a private key to connect but make sure the key can't be extracted to be used for something else?
The servers are already deployed and new users or new keys can't be generated.
I have the root key. The script/ app should just grab a few files from a folder without exposing the key to the user.
I think you have your ideas about public/private keys backwards.
If I give you my public key, then my private key allows me to access your computer. This effectively solves your problem, as you should never share your private key, and you'll append public keys to ~/.ssh/authorized_keys file on the server you want to access.
It sounds like you already have the private key to access the server, so no need to encrypt, as you use that to access the server not the other way around.
Use it scp -i ...
Hopefully helpful, here's a tutorial on setting up keys:
https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys--2
I have few doubts regarding using private/public key on linux.
Suppose i have two linux boxes A and B.
I want to use password less logins to B from any computer.
so on A i did this
ssh-gen -t rsa and it made two files
id_rsa and id_rsa.pub
Then i copied id_rsa.pub to B ~/.ssh/A_id_rsa.pub and then
cat A_id_rsa.pub >> authorized_keys
Now i have these questions
Suppose i have another computer C where i also want to have passwordless login but i want to use key phrase to protect the private key. so can i generate another key using ssh-gen -t rsa with different name and use that or i have to delete the previous key
The other thing is for password less logins do need to do anything with keys from B to A or its always from A to B
So the private key will always stay on host computer only? i have seen that AWS gives the private key for login. then why is that. Beuase for putting A public key to B someone needs to access B. which is not possible for first time. so does it mean we can login with either public key or private key
Yes, you can generate a key pair on C and do the same that you did for A:
cat C_id_rsa.pub >> authorized_keys
The keys will only allow logins from A to B.
Yes the private key will stay on the host computer. I believe AWS automatically puts the public key on computer B while it creates the virtual box.
In a quick line or two:
The keys somewhat work like (very roughly): you need the public key to decrypt what is encrypted by private key and vice-versa. To be more precise, http://en.wikipedia.org/wiki/Public-key_cryptography has way better information to start with.
So to answer the questions: The private key is not normally tied to a computer. You could copy the private key from, say A to C and could login by using it from C.
You could generate multiple keys on a single host, one key-pair for each set of hosts. Similarly, you could generate keys from multiple hosts, each host publishing it's key to the target computer's (B in this example) 'authorized_keys' file.
Ideally, the private key should be as secret as possible. While the SSH or key-management would not force having the key on one computer, it should be limited to a single system as a best practice. Having said that, as far I know there is really nothing that prevents copying the private key around, say for backup or migration to a new system. In other words, the private key file is like the password, it could be literally used from any system to login.
I'm done setting up ssh login using public/private key pair. I have my id_rsa (private key) in my ~/.ssh directory and also still have id_rsa.pub (public key) in the same directory. I'm no security expert, but something tells me its not a good idea to keep both keys in the same directory?
Is it a good practice to remove the public key file after I've added it to the server's authorized_keys file? If there is no harm in keeping the public key around, should I move it to a different directory?
One shortcoming I can think of is that I would have to re-generate a public/private key pair if I wanted to ssh into to a different server. Is it a good practice to generate a new public/private key pair for different servers?
The "secret" part of your key needs to be kept safe - in your home directory is the usual place. The public key is MEANT to be shared, that's the whole point of it being public.
So, make sure your .ssh directory is kept safely protected at all times.
The public key isn't secret, so whilst you can delete it if you want, it won't help much, since anyone that can read authorized_keys can get it... It is there in full view.
Obviously, deleting your private key would mean that you'd have to make a new pair of private public keys. But only someone that has your private key can get into your account - and only if it's in the authorized_keys on that machine [of course, that can be copied from one place to another!]
In summary: If you feel like saving the diskspace, delete the public key. But it doesn't really matter - it's out there on the other end of the line.
It may not be a relevant answer to this question, but you can allow SSH access from specific clients (if their IPs remain fixed) by filtering them using iptables. So if a key is stolen, your firewall can help you.
I know how asymmetric cryptography works. I know there are two keys (one private and one public).
When someone wants to communicate they exchange their public keys encrypt messages with those public keys AND then the respective message could be decrypted ONLY by the user that has the private key.
Now, I'm using Node.js and I need to do something like this...
I need an application that EACH hour reads a database, extracts data and saves it to a file that I need to send to another server.
My problem is that I DON'T WANT that file will be visible to other, I do the transfer using SSH so there is no problem BUT
I must encrypt that file because I'm not the admin of that server SO maybe someone could read it. Unfortunately the admin is the same for both servers.
So my idea is to encrypt the file with a public key, and then only he who has the private key(me) could decrypt it.
I think it is pointless using something like:
var key = 'blablabla'
If I use a public key, there is no problem, all can read it..... it is public indeed. But with this public key, nobody can decrypt the message, so it is
something like one-way encryption.
Now, could someone tell me if I need a signer/verifier to do this job, OR maybe I have to generate two keys (public/private) with openssl and pass those keys to a cipher/dechiper?
I'm looking at crypto modules, but there are no examples....
In general, your idea is right - you encrypt using public key and decrypt using private key of yours. However, practically the procedure is more complex. Random symmetric key is generated and the data is encrypted using that key. Then the public key is used to encrypt the random key. Encrypted key is sent to recipient together with encrypted data. On the other side encrypted key is decrypted using a private key, then the data is decrypted.
You can use OpenPGP keys or X.509 certificates to do the job.
In case of OpenPGP the standard offers encryption and decryption as atomic procedures (on the user level). In case of X.509 certificates you need to use PKCS#7 / CMS.
OpenSSL library offers operations with PKCS#7 / CMS, however when I look at nodeJS API for OpenSSL, that API is very limited and doesn't expose those functions. Maybe you can write your own nodeJS module which will interface with OpenSSL and provide missing functions.
Another alternative is to use OpenPGP keys and node-gpg module. That module uses gnupg to do the actual job, so gnupg must be installed.
Unfortunately I don't see any other suitable libraries in the 3rd-party module list provided in nodeJS wiki.
I have 2 servers with which I work: first one is application server and another one is archival server.
I access both of these servers using F-Secure SSH Client using the same user id and public-private key pair for authentication. It means that private key is stored on the Windows machine and public key is stored on both servers.
Now I need to access archival server from application server. To do that I have to do a key exchange first.
What is a standard aproach in this case? Do I just copy my private key from Windows to the application server? Would it compromise security? Or I need to generate a new key pare?
I appretiate your help!
P.S. I am relatively new to Unix administration, so don't be very hard on me :)
The standard approach is:
Generate on each machine/user a new private/public key pair
Use authorized keys file in .ssh and add every public key
Copy this authorized keys file to every remote host
Sidenote: The authorized key file as well as the key pairs are user#machine related
Sidenote2: Usually ppl block root completely from this process. Root should be neither accessible via pw auth nor with key auth.
#fyr's answer is correct, however you don't need to manually add or copy anything. You can do it with ssh-copy-id.
Assuming that the SSH server on your new machine is already running, from your old machine (which already has an SSH key pair, if not run ssh-keygen), run
ssh-copy-id -i ~/.ssh/mykey user#host
where the -i parameter denotes the location of your public key. The ssh-copy-id tool will add the .pub extension if necessary, so it won't be trying to send your private key.
A real-world example of this, let's say to exchange keys with a Raspberry Pi, would be:
ssh-copy-id -i ~/.ssh/id_rsa pi#192.168.1.11
This will ask for your password, but just once. If the key exchange is successful, you'll be able to ssh into it without needing a password.