However, using public key authentication provides many benefits when working with multiple developers. For example, with SSH keys you can. Keys come in pairs of a public key and a private key. Each key pair is unique, and the two keys work together. These two keys have a very special and beautiful mathematical property: if you have the private key, you can prove you have it without showing what it is.
It's like proving you know a password without having to show someone the password. You don't have to do the math or implement the key exchange yourself. The SSH server and client programs take care of this for you. You should generate your key pair on your laptop, not on your server. All Mac and Linux systems include a command called ssh-keygen that will generate a new key pair.
If you're using Windows, you can generate the keys on your server. Just remember to copy your keys to your laptop and delete your private key from the server after you've generated it. You'll be prompted to choose the location to store the keys. The default location is good unless you already have a key. Press Enter to choose the default location.
Next, you'll be asked to choose a password. Using a password means a password will be required to use the private key. When a client connects to the host, wishing to use SSH key authentication, it will inform the server of this intent and will tell the server which public key to use. This encrypted message can only be decrypted with the associated private key. The server will send this encrypted message to the client to test whether they actually have the associated private key.
Upon receipt of this message, the client will decrypt it using the private key and combine the random string that is revealed with a previously negotiated session ID. It then generates an MD5 hash of this value and transmits it back to the server.
The server already had the original message and the session ID, so it can compare an MD5 hash generated by those values and determine that the client must have the private key. Now that you know how SSH works, we can begin to discuss some examples to demonstrate different ways of working with SSH.
This section will cover how to generate SSH keys on a client machine and distribute the public key to servers where they should be used. This is a good section to start with if you have not previously generated keys due to the increased security that it allows for future connections. Generating a new SSH public and private key pair on your local computer is the first step towards authenticating with a remote server without a password.
Unless there is a good reason not to, you should always authenticate using SSH keys. RSA keys are generally preferred and are the default key type. This prompt allows you to choose the location to store your RSA private key.
Leaving the default location selected will allow your SSH client to find the keys automatically. The next prompt allows you to enter a passphrase of an arbitrary length to secure your private key. By default, you will have to enter any passphrase you set here every time you use the private key, as an additional security measure.
Keep in mind though that this will allow anyone who gains control of your private key to login to your servers. If you choose to enter a passphrase, nothing will be displayed as you type.
This is a security precaution. These files are:. SSH keys are bits by default. This is generally considered to be good enough for security, but you can specify a greater number of bits for a more hardened key. To do this, include the -b argument with the number of bits you would like. Most servers support keys with a length of at least bits.
Longer keys may not be accepted for DDOS protection purposes:. If you had previously created a different key, you will be asked if you wish to overwrite your previous key:. Because of this, be sure to overwrite keys with caution.
If you have generated a passphrase for your private key and wish to change or remove it, you can do so easily. Note : To change or remove the passphrase, you must know the original passphrase. If you have lost the passphrase to the key, there is no recourse and you will have to generate a new key pair. Enter the old passphrase that you wish to change. You will then be prompted for a new passphrase:. This can be useful in a variety of situations. You will be given a string which contains the bit-length of the key, the fingerprint, and account and host it was created for, and the algorithm used:.
To copy your public key to a server, allowing you to authenticate without a password, a number of approaches can be taken. If you currently have password-based SSH access configured to your server, and you have the ssh-copy-id utility installed, this is a simple process. If you do not have the ssh-copy-id utility available, but still have password-based SSH access to the remote server, you can copy the contents of your public key in a different way. You can output the contents of the key and pipe it into the ssh command.
If you do not have password-based SSH access available, you will have to add your public key to the remote server manually. You can copy this value, and manually paste it into the appropriate location on the remote server. You will have to log in to the remote server through other means like the DigitalOcean web console. To connect to a remote server and open a shell session there, you can use the ssh command.
The simplest form assumes that your username on your local machine is the same as that on the remote server. If this is true, you can connect using:. If you are using password authentication, you will be prompted for the password for the remote account here.
To run a single command on a remote server instead of spawning a shell session, you can add the command after the connection information, like this:. This will connect to the remote host, authenticate with your credentials, and execute the command you specified. The connection will immediately close afterwards.
By default the SSH daemon on a server runs on port Your SSH client will assume that this is the case when trying to connect. If your SSH server is listening on a non-standard port this is demonstrated in a later section , you will have to specify the new port number when connecting with your client. In here, you can set host-specific configuration options. To specify your new port, use a format like this:. If you have a passphrase on your private SSH key, you will be prompted to enter the passphrase every time you use it to connect to a remote host.
To avoid having to repeatedly do this, you can run an SSH agent. This small utility stores your private key after you have entered the passphrase for the first time. It will be available for the duration of your terminal session, allowing you to connect in the future without re-entering the passphrase. This will start the agent program and place it into the background. Now, you need to add your private key to the agent, so that it can manage your key:. You will have to enter your passphrase if one is set.
Afterwards, your identity file is added to the agent, allowing you to use your key to sign in without having to re-enter the passphrase again. If you wish to be able to connect without a password to one server from within another server, you will need to forward your SSH key information.
This will allow you to authenticate to another server through the server you are connected to, using the credentials on your local computer. After this is done, you need to connect to your first server using the -A option.
This forwards your credentials to the server for this session:. You will connect as if your private SSH key were located on this server. This section contains some common server-side configuration options that can shape the way that your server responds and what types of connections are allowed. If you have SSH keys configured, tested, and working properly, it is probably a good idea to disable password authentication.
This will prevent any user from signing in with SSH using a password. Inside of the file, search for the PasswordAuthentication directive. If it is commented out, uncomment it. Set it to no to disable password logins:. After you have made the change, save and close the file. To implement the changes, you should restart the SSH service. Some administrators suggest that you change the default port that SSH runs on.
This can help decrease the number of authentication attempts your server is subjected to from automated bots. To change the port that the SSH daemon listens on, you will have to log in to your remote server.
Once you are inside, you can change the port that SSH runs on by finding the Port 22 specification and modifying it to reflect the port you wish to use. For instance, to change the port to , put this in your file:.
Save and close the file when you are finished. To implement the changes, you must restart the SSH daemon. After the daemon restarts, you will need to authenticate by specifying the port number demonstrated in an earlier section. These two keys form a pair that is specific to each user.
In the SSH public key authentication use case, it is rather typical that the users create i. SSH implementations include easily usable utilities for this for more information see ssh-keygen and ssh-copy-id.
Each SSH key pair includes two keys:. A public key that is copied to the SSH server s. Anyone with a copy of the public key can encrypt data which can then only be read by the person who holds the corresponding private key.
Such keys are called authorized keys. A private key that remains only with the user. The possession of this key is proof of the user's identity. Only a user in possession of a private key that corresponds to the public key at the server will be able to authenticate successfully. The private keys need to be stored and handled carefully, and no copies of the private key should be distributed.
The private keys used for user authentication are called identity keys. Key pair is created typically by the user.
0コメント