I have few doubts regarding using private/public key on linux.
Suppose i have two linux boxes A and B.
I want to use password less logins to B from any computer.
so on A i did this
ssh-gen -t rsa and it made two files
id_rsa and id_rsa.pub
Then i copied id_rsa.pub to B ~/.ssh/A_id_rsa.pub and then
cat A_id_rsa.pub >> authorized_keys
Now i have these questions
Suppose i have another computer C where i also want to have passwordless login but i want to use key phrase to protect the private key. so can i generate another key using ssh-gen -t rsa with different name and use that or i have to delete the previous key
The other thing is for password less logins do need to do anything with keys from B to A or its always from A to B
So the private key will always stay on host computer only? i have seen that AWS gives the private key for login. then why is that. Beuase for putting A public key to B someone needs to access B. which is not possible for first time. so does it mean we can login with either public key or private key
Yes, you can generate a key pair on C and do the same that you did for A:
cat C_id_rsa.pub >> authorized_keys
The keys will only allow logins from A to B.
Yes the private key will stay on the host computer. I believe AWS automatically puts the public key on computer B while it creates the virtual box.
In a quick line or two:
The keys somewhat work like (very roughly): you need the public key to decrypt what is encrypted by private key and vice-versa. To be more precise, http://en.wikipedia.org/wiki/Public-key_cryptography has way better information to start with.
So to answer the questions: The private key is not normally tied to a computer. You could copy the private key from, say A to C and could login by using it from C.
You could generate multiple keys on a single host, one key-pair for each set of hosts. Similarly, you could generate keys from multiple hosts, each host publishing it's key to the target computer's (B in this example) 'authorized_keys' file.
Ideally, the private key should be as secret as possible. While the SSH or key-management would not force having the key on one computer, it should be limited to a single system as a best practice. Having said that, as far I know there is really nothing that prevents copying the private key around, say for backup or migration to a new system. In other words, the private key file is like the password, it could be literally used from any system to login.
Related
Does anybody have an idea how can I use an ssh private key in a script to scp some files from a server using a private key to connect but make sure the key can't be extracted to be used for something else?
The servers are already deployed and new users or new keys can't be generated.
I have the root key. The script/ app should just grab a few files from a folder without exposing the key to the user.
I think you have your ideas about public/private keys backwards.
If I give you my public key, then my private key allows me to access your computer. This effectively solves your problem, as you should never share your private key, and you'll append public keys to ~/.ssh/authorized_keys file on the server you want to access.
It sounds like you already have the private key to access the server, so no need to encrypt, as you use that to access the server not the other way around.
Use it scp -i ...
Hopefully helpful, here's a tutorial on setting up keys:
https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys--2
basically my computer bug down earlier and can no longer retrieve my files from my SSD HD.
i have my id_rsa.pub with me since I emailed this to our support team before for me to access the servers.
now I execute this command "ssh-keygen -t rsa" to my computer to generate new pub key.
upon checking the file is inside .ssh and i just replace the id_rsa.pub with the file i have on my email and leave id_rsa as it is.
trying out to access the server but always give me an error "Permission denied (publickey)."
it could be because of id_rsa which is still the latest.
any way i could replace the value based on the pubkey i have?
thanks.
Simply put, no.
The big idea behind public key cryptography is that the private key (in this case, id_rsa) is always hidden and secure, and only one person (or computer) has access to it. The public key (id_rsa.pub) provides just enough information that it is safe for anyone in the world to have access to it. If you could retrieve the original private key from the public key, then your private key would not be secure1.
The new keypair that you generated is totally distinct from your old one. Whatever server you are trying to ssh into is expecting to see the request signed with your old private key. Since you don't have access to it anymore, you can't sign the request with the correct key, and the server is rejecting your ssh attempt with a public key error.
So, basically, because you lost access to your private key, you can no longer ssh using that keypair.
Your administrative team will need to put your new public key onto the server so that you can ssh using the new key.
1 Note: It is theoretically possible to generate a private key that would match an existing public key, but this process is computationally intractable. Digicert estimates that this would take 6.4 quadrillion years for a 2048-bit RSA key.
normally you have a private part of a rsa key and a public one. You spread the public key out to the internet. Now you can sign with the private key you packages or data, and everyone how knows you public key can check if this data or package is from you. So it's possible to generate a public key from a private, but i is impossible to generate a private key out of a public key in a acceptable time. So you need to generate a new one on you computer and need to put the new generated public key on your server, and you will have access again.
I have two servers A and B.
Is it possible to do password less logins to B without chnaging anything on B.
I mean i want to configure A with whatever setting so that i can login to B like copying private/public keys etc.
Currently i am adding A public key to B 's authorized_keys.
Is there any other way of doing without editing file on B
Currently i am adding A public key to B 's authorized_keys
This is problematic because anyone - friend of foe - who has access to A's private key, implicitly has access to B.
What I suggest involves a simple setup with a single key pair
You have your own key pair
You copy your public key - and only that - to every server you want to access
On your box you add this to .ssh/config:
Host A
ForwardAgent yes
You run ssh-add
At this point you can connect to A. Big woop, so what ? Well, if from A you connect to B, it will just work. This is very secure and there is a single key you have to worry about: your own.
Read more about SSH agent forwarding at github.
On A & B you firstly must already have generated your pubkeys with (assume you already have):
sudo ssh-keygen
Then use the command from machine A:
ssh-copy-id user#machineB -p <port #>
If you have generated a password for host B's private key you will have to enter that once and machine A's id_pub.rsa contents will be copied into machine B's authorized_keys.
I'm done setting up ssh login using public/private key pair. I have my id_rsa (private key) in my ~/.ssh directory and also still have id_rsa.pub (public key) in the same directory. I'm no security expert, but something tells me its not a good idea to keep both keys in the same directory?
Is it a good practice to remove the public key file after I've added it to the server's authorized_keys file? If there is no harm in keeping the public key around, should I move it to a different directory?
One shortcoming I can think of is that I would have to re-generate a public/private key pair if I wanted to ssh into to a different server. Is it a good practice to generate a new public/private key pair for different servers?
The "secret" part of your key needs to be kept safe - in your home directory is the usual place. The public key is MEANT to be shared, that's the whole point of it being public.
So, make sure your .ssh directory is kept safely protected at all times.
The public key isn't secret, so whilst you can delete it if you want, it won't help much, since anyone that can read authorized_keys can get it... It is there in full view.
Obviously, deleting your private key would mean that you'd have to make a new pair of private public keys. But only someone that has your private key can get into your account - and only if it's in the authorized_keys on that machine [of course, that can be copied from one place to another!]
In summary: If you feel like saving the diskspace, delete the public key. But it doesn't really matter - it's out there on the other end of the line.
It may not be a relevant answer to this question, but you can allow SSH access from specific clients (if their IPs remain fixed) by filtering them using iptables. So if a key is stolen, your firewall can help you.
I have 2 servers with which I work: first one is application server and another one is archival server.
I access both of these servers using F-Secure SSH Client using the same user id and public-private key pair for authentication. It means that private key is stored on the Windows machine and public key is stored on both servers.
Now I need to access archival server from application server. To do that I have to do a key exchange first.
What is a standard aproach in this case? Do I just copy my private key from Windows to the application server? Would it compromise security? Or I need to generate a new key pare?
I appretiate your help!
P.S. I am relatively new to Unix administration, so don't be very hard on me :)
The standard approach is:
Generate on each machine/user a new private/public key pair
Use authorized keys file in .ssh and add every public key
Copy this authorized keys file to every remote host
Sidenote: The authorized key file as well as the key pairs are user#machine related
Sidenote2: Usually ppl block root completely from this process. Root should be neither accessible via pw auth nor with key auth.
#fyr's answer is correct, however you don't need to manually add or copy anything. You can do it with ssh-copy-id.
Assuming that the SSH server on your new machine is already running, from your old machine (which already has an SSH key pair, if not run ssh-keygen), run
ssh-copy-id -i ~/.ssh/mykey user#host
where the -i parameter denotes the location of your public key. The ssh-copy-id tool will add the .pub extension if necessary, so it won't be trying to send your private key.
A real-world example of this, let's say to exchange keys with a Raspberry Pi, would be:
ssh-copy-id -i ~/.ssh/id_rsa pi#192.168.1.11
This will ask for your password, but just once. If the key exchange is successful, you'll be able to ssh into it without needing a password.