Public Key Authentication
This page describes how to generate and use SSH key pairs with OpenSSH and PuTTY SSH clients.
Contents
See also:
Introduction
Authentication with keys is an alternative to using passwords. The Secure Shell uses public key cryptography for that purpose. Keys exist in pairs: there is a private key and a public key. The public key is put onto the remote computer while the private key remains on the personal computer.
The private key is the actual login secret. The advantage over passwords is that the secret information cannot be phished. However, there is the danger private key files can be stolen. Therefore, private keys shall be well protected:
- Private key files shall be kept on the personal computer and never be copied to a server used by other people (like an HPC system, because such systems are much more likely to be compromised).
- The private key shall be protected with a passphrase. The passphrase is entered when the key is being created. When employing the SSH agent (see below) the passphrase needs to be entered only once per local session. Otherwise it has to entered for every SSH command.
- SSH enforces that file access permissions do not allow other users to read private key files.
OpenSSH (Linux, MacOS, Windows)
- Generation of a key pair of type RSA with 4096
bits
(altenatively the newer type-t ed25519
can be used):
$
ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa): Enter passphrase (empty for no passphrase): ************************ Enter same passphrase again: ************************ Your identification has been saved in /home/user/.ssh/id_rsa. Yourpublic key
has been saved in/home/user/.ssh/id_rsa.pub
. The key fingerprint is: b8:df:d1:14:48:03:00:68:5e:46:9c:1a:b2:b2:d4:f4 user@host The key's randomart image is: +--[ RSA 4096]----+ | +oo....o | |. +.= . o | | =o=. . . | |o.o. E . . | |o. . S . | |. . o | | . . . | | . . . | | . . | +-----------------+
- Using the key
$
ssh bxy1234@hummel3.rrz.uni-hamburg.de Enter passphrase for key '/home/user/.ssh/id_rsa': ************************ ...
- Using the SSH agent
$
eval `ssh-agent`
Agent pid is 6789$
ssh-add $HOME/.ssh/id_rsa
Enter passphrase for key '/home/user/.ssh/id_rsa': ************************ Identity added: /home/user/.ssh/id_rsa (/home/user/.ssh/id_rsa)$
ssh bxy1234@hummel3.rrz.uni-hamburg.de _ _ __/ \ __/ RRZ HPC Login | Zugang nur mit Berechtigung \__ / \_ \_/ \ RRZ HPC login | Access for authorized users only / \_/ ...
- Some systems run
ssh-agent
automatically (the passphrase has to be entered in a pop-up window). Then thessh
command alone has the same effect as the three commands above:
$
ssh bxy1234@hummel3.rrz.uni-hamburg.de
- Connection data can be stored in the configuration file
. For example, with this entry$HOME/.ssh/config
Host hummel Hostname hummel3.rrz.uni-hamburg.de IdentityFile ~/.ssh/id_rsa User bxy1234
the
ssh
command is just:
$
ssh hummel
PuTTY (Windows)
Under Windows SSH key pair can be generated with PuTTYgen:
- chose: Type of key to generate: SSH-2 RSA (do not tick SSH-1!)
- enter: Number of bits in a generated key: 4096
- alternativly: Type of key to generate: EdDSA (Ed25519 255 bits)
- click: Generate
- enter: Key passphrase
- enter: Confirm passphrase
- click: Save private key
- click: Save public key
- save: location of the key pair!
Using the key with PuTTY:
- Enter/Browse key file location in Connection/SSH/Auth/Credentials.
Using the PuTTY agent Pageant: