Hello all

I've been giving the task to go to a Linux console as root.
and generate a ssh rsa 4096bit key, and copy the private key to a USB drive.

1) What command should I use here? ssh-keygen -t rsa -b 4096 ?
2) Do I need to append the new private key to the authorized_users file? Which file exactly must be appended there? Would this be sufficient?

mkdir -p /home/myuser/.ssh
cat id_rsa_LOCAL.pub >> /home/myuser/.ssh/authorized_keys

Should any special permissions be applied to this file?

3) Which file must be sent to my usb drive so that I can take it home to connect with?

A step by step guide to accomplish this would be great!

This is all back-to-front; it's bad idea is to log in remotely
via root. If you're really set on doing that you have to create
a key-pair on YOUR machine, and place the PUBLIC part of YOUR
key in root's authorized_keys on the remote machine.


Cheers,
Tink

The public key gets added to the authorized_keys file of the server. The client (at home) has both in /home/myuser/.ssh/. You don't need to be root to generate a key pair. What user will you be logging into the server as? It is better to log into a server as a regular user and use sudo instead of allowing root logins. If you must use root (e.g. only user on server) make sure that you use a very good passphrase. This will protect your private key if stolen or copied. Especially important for laptops which are often lost or stolen in airports and coffee shops.

If this is your home clients key pair, then having id_rsa and id_rsa.pub in ~/.ssh/ will work fine. If you already have a key pair, consider changing the names and using the "-i <identify file>" option of ssh so the correct key is used.

ssh myuser@host -i ~/.ssh/myuser_id_rsa

The permissions of ~/.ssh and id_rsa is important. Don't allow "other" read access. Also don't allow "other" read or execute access to your home directory.

some caveats. In the server's /etc/ssh/sshd_config file, if "AllowUsers" is used (a good idea) make sure the username is listed. For the latest openSuSE, the AuthorizedKeys entry needs "%h" in it: "AuthorizedKeysFile %h/.ssh/authorized_keys". Might just be true for openSuSE. Found it after upgrading and reading distro release notes. If converting from password authentication to using a key, log in using a password and leave it open. Test pubkey authentication in a new console, just in case there is a problem loggin in. You can undo changes in the first terminal. Remember that if changes to the server's /etc/ssh/sshd_config are needed, that the ssh service needs to be restarted. E.G. if adding user to "AllowUsers".

I would like to recommend you generate key/pair by the user@machine who need to login remotely and then paste user's public key in authorized_key file to user@machine on which you want to login .

Thanks

I will try that now, it sounds much easier.

worked!