| tly I've had a good deal of people ask me about SSH | | | | To generate a pair of cryptographic keys, you would |
| connections, and how they can better secure them, | | | | use the ssh-keygen(1) utility on both the machine you |
| and I've been shocked at the sheer number of people | | | | intend to log in to, and the machine you intend to log in |
| that still use keyboard-interactive password | | | | from. For example;ssh-keygen -t rsa |
| authentication to log into SSH daemons. This article will | | | | The -t option specifies the type of key to be |
| explain the use of SSH keys and OpenSSH options to | | | | generated. Available options are dsa and rsa. |
| speed up and secure your SSH connection. | | | | Inputting this command on either of your UNIX |
| SSH options | | | | machines should give you an output like this: |
| There are a few useful options you can pass to | | | | $ ssh-keygen -t rsa |
| OpenSSH to increase your verbosity, compress and | | | | Generating public/private rsa key pair. |
| speed up your ssh connection, and change your SSH | | | | Enter file in which to save the key (/home/example |
| cipher to something faster and more secure; | | | | .ssh/id_rsa): |
| '-v' switch. This option will allow you to see debug | | | | Enter passphrase (empty for no passphrase): |
| output for outgoing SSH connections. Specifying '-v' | | | | Enter same passphrase again: |
| multiple times increases the verbosity level (maximum | | | | Your identification has been saved in /home/example |
| level 3). | | | | .ssh/id_rsa. |
| '-C' switch. This option compresses all of your SSH | | | | Your public key has been saved in /home/example |
| data. Passing this option to OpenSSH may speed | | | | .ssh/id_rsa.pub. |
| things up dramatically on slow networks, but on | | | | Setting a passphrase is highly recommended to |
| high-speed networks it will only slow things down. | | | | maximize security. Good passphrases are between 10 |
| '-c' switch. This option will allow you to change your | | | | and 30 characters long, and are not easily guessable in |
| cipher method. The default is 3des, which is a 3-way | | | | any way. If you do not enter a passphrase, you will be |
| encryption method that is believed to be secure - | | | | able to login to your remote system without entering |
| however, blowfish is also available, which is a fast | | | | any password on login. |
| block cipher which also believed to be very secure | | | | The next step is to authorize your keys on the remote |
| and is far faster than 3des. | | | | machine you intend to log in to. You can do this using a |
| For example, let's say I want to log in as user 'foo' to | | | | file named authorized_keys on your target machine. |
| an ssh daemon on host 'example.com'. I want | | | | Copy your ~/.ssh/id_rsa.pub file onto your remote |
| maximum verbosity level, I want to compress all my | | | | machine using scp(1)scp ~/.ssh/id_rsa.pub |
| data, and I want to change my SSH cipher to blowfish. | | | | example.com:.ssh/authorized_keys |
| The command would look like this:ssh -vvv -C -c | | | | Now log in to your target machine using ssh(1) with a |
| blowfish -l foo (Note: the higher your verbosity level, | | | | debug level of 1as previously shown;ssh -v -C -c |
| the more text you will get on your terminal while | | | | blowfish -l foo You will see debug messages like |
| OpenSSH goes through the process of logging in to | | | | so;debug1: Authentications that can continue: |
| the remote SSH daemon. Even specifying only one -v | | | | publickey,keyboard-interactivedebug1: Next |
| can get you a veritable flood of information. Fiddle | | | | authentication method: publickeydebug1: Offering public |
| around with -v until you find a debug level that you're | | | | key: /home/example/.ssh/id_rsadebug1: Server |
| comfortable with.) | | | | accepts key: pkalg ssh-dss blen 435debug1: read PEM |
| SSH keys | | | | private key done: type rsa |
| OpenSSH supports a method of authentication far | | | | You should then be prompted for your key |
| more secure than keyboard-interactive password | | | | passphrase (if you entered one) and then let into the |
| authentication using a combination of public/private key | | | | system. If you didn't enter a passphrase upon |
| cryptography. A pair of keys is generated, one on the | | | | generating your public/private keys, you will be passed |
| remote machine to authenticate you and let you in. | | | | through without having to enter any. If you encounter |
| The other is a private key to match the key on the | | | | errors, you should check the permissions of your ~ |
| remote machine. | | | | .ssh directories on both machines. |