Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I learned how to set up passwordless SSH authentication last year, and while I got it to work, I honestly am not sure that I understand exactly how it works. (And after reading a lot of stuff online, I'm not sure a lot of other people understand how it works either!)
I would appreciate it if I can walk through the steps and have you guys fill in the gaps in my knowledge so I can truly understand how all of this works.
Here is what my notes said that I did...
1.) In Terminal, I navigated here...
Code:
cd ~/.ssh
2.) Then I ran this code...
Code:
ssh-keygen -t rsa -b 2048
My understanding is that ssh-keygen creates a public-private key pair. The -t switch is for the type of key to use, "rsa" is the key type I chose. The -b switch is is the number of bits to use, and I chose 2048.
3.) When I run this command I get the message...
Code:
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/rob/.ssh/id_rsa):
I hit <enter>, and then get...
Code:
Enter passphrase (empty for no passphrase):
I chose a passphrase and hit <enter>
Terminal then says...
Code:
Your identification has been saved in /Users/rob/.ssh/id_rsa.
Your public key has been saved in /Users/rob/.ssh/id_rsa.pub.
The key fingerprint is:
So apparently I now have a Public and a Private Key, right?
4.) Next, on my server in cPanel, under "Security", I choose "SSH Shell Access". Then "Manage SSH Keys". And then "Import Key".
On this page I see 4 input fields:
Code:
Enter a name for this key. This value defaults to id_dsa:
I entered "id_rsa".
Q-1: What, if anything, should go in the field above?
Code:
Paste the private key into this text box:
I left this blank.
Code:
Passphrase:
I left this blank.
Code:
Paste the public key into this text box:
On my MacBook, using TextWrangler, I opened ~/.ssh.id_rsa.pub and copied the entire Public Key and then pasted it into the last field above. Then I chose "Import".
cPanel said...
Code:
The system successfully imported the “id_rsa” key.
Next I chose the "Back to Manage Keys" button. Under the "Public Keys" section, I choose "Manage Authorization". From there I chose the "Authorize" button. Then I chose "Go Back"
Q-2: What exactly is going on here?
Q-3: What is the purpose of installing my Public-Key onto my server?
5.) The next thing I did was to call my web host and ask them to provide me with the Fingerprint for my Server.
In order for them to provide this, my understanding is that my web host would have to run this command against my server...
Code:
ssh-keygen -lf /etc/ssh/ssh_host_rsa_key.pub
Q-4: Is this correct?
Q-5: Is it correct that the (Server) Fingerprint is an "abbreviated" version of the (Server's) Pubic Key?
Q-6: Is it correct that the (Server) Fingerprint would be created when the server is built/started and remain until it is reset?
I have lots more questions, but this is a goods topping place for now!
Distribution: Debian testing/sid; OpenSuSE; Fedora; Mint
Posts: 5,524
Rep:
OK, when you generate a key pair it isn't very usable until you put them on keyrings, or import them. Q. 1, A: just some descriptive name. Q. 2 A: The key was added to the keyring, so the application can use it. Q. 3 A: Others use your public key to encrypt a key that is only then available by your private key. Public key encryption allows you to give one key to the public to encrypt to you. But the public key cannot decrypt the messages it encrypts. The private key is required for that.
Q. 4 A: I can't quite figure out how your web host gets involved here. There must be some added security they're providing. Q. 5 A: a fingerprint, or signature is a one-way hash of a private key. Q. 6 A: I'm not completely familiar with what you're asking exactly. But typically a digital fingerprint remains the same until it's changed
Re QN 3:
There are (basically) 2 kinds of encryption:
1. symmetric : both ends know/use the same(!) key,
2. asymmetric (aka public key) where there are 2 different keys that form a pair, one private, one public.
(NB: this is not the same as hashes eg *nix stores passwd hashes, it does NOT encrypt your passwd)
Think of asymmetric encryption as 2 halves of one conjoined key if it helps. (its really more of a set/matched pair actually)
Basically a given private key will only match/work with the public key it was created with.
So, you put the public key on the server (which may or may not be under your control), and keep the private key on your client (ie under your control).
You then tell ssh to use keys instead of passwords and it matches the 2 keys (ie 2 halves of the pair) to let you in.
To install the public key, you are using CPanel GUI, but on the cmd line, you'd use the ssh-copy-id cmd if your distro supports it, otherwise you'd probably use scp (with passwd).
There is lots about this on the net, but that's the basics.
PS: re your title " Password Authentication "; that's where *nix hashes the plaintext passwd you give it and matches it to the recorded hash in the /etc/shadow file.
This is separate from ssh-keys above.
The ssh fingerprint is a way to identify a server and help prevent man in the middle attacks. With strict host checking enabled when you login to a ssh server for the first time you should see an unknown host with the fingerprint displayed. If the fingerprint displayed matches the one that you got when you called your host then you are assured you are connecting to your server. Once you enter or click yes to continue that fingerprint is stored in your known_hosts file. If you ever login and the fingerprints do not match then something could be amiss. Yes the command you posted will display the server's fingerprint and yes it is generated when ssh was installed and should not change.
Q. 3 A: Others use your public key to encrypt a key that is only then available by your private key. Public key encryption allows you to give one key to the public to encrypt to you. But the public key cannot decrypt the messages it encrypts. The private key is required for that.
I asked about passwordless SSH authentication. You are talking about a completely different topic.
Quote:
Originally Posted by AwesomeMachine
Q. 4 A: I can't quite figure out how your web host gets involved here. There must be some added security they're providing.
Then you don't understand how to set up passwordless SSH authentication.
Re QN 3:
There are (basically) 2 kinds of encryption:
1. symmetric : both ends know/use the same(!) key,
2. asymmetric (aka public key) where there are 2 different keys that form a pair, one private, one public.
(NB: this is not the same as hashes eg *nix stores passwd hashes, it does NOT encrypt your passwd)
Think of asymmetric encryption as 2 halves of one conjoined key if it helps. (its really more of a set/matched pair actually)
Basically a given private key will only match/work with the public key it was created with.
So, you put the public key on the server (which may or may not be under your control), and keep the private key on your client (ie under your control).
You then tell ssh to use keys instead of passwords and it matches the 2 keys (ie 2 halves of the pair) to let you in.
Okay, that makes sense.
Following that logic, I could technically put my Private Key on the Server and leave my Public Key on my laptop, right?
Quote:
Originally Posted by chrism01
To install the public key, you are using CPanel GUI, but on the cmd line, you'd use the ssh-copy-id cmd if your distro supports it, otherwise you'd probably use scp (with passwd).
As per Q-1, does it matter what I put in that field? Based on the form, I assume cPanel is asking me what I want to call the Public Key?
And per Q-2, what hapepns when I "authorize" the Public Key that I just put into the form?
Quote:
Originally Posted by chrism01
PS: re your title " Password Authentication "; that's where *nix hashes the plaintext passwd you give it and matches it to the recorded hash in the /etc/shadow file.
This is separate from ssh-keys above.
That is a type-o. The title of this thread should say "Understanding how Password-less Authentication works"
**Could an admin please fix this to avoid any confusion?
The ssh fingerprint is a way to identify a server and help prevent man in the middle attacks.
With strict host checking enabled when you login to a ssh server for the first time you should see an unknown host with the fingerprint displayed. If the fingerprint displayed matches the one that you got when you called your host then you are assured you are connecting to your server.
Thanks, but I know what the purpose of the Server's Fingerprint is. That isn't what I asked about in Q-5 and Q-6.
Quote:
Originally Posted by michaelk
Once you enter or click yes to continue that fingerprint is stored in your known_hosts file.
As far as I know that is wrong. The fingerprint is not stored in "known_hosts" - the Public Key should be stored there.
Quote:
Originally Posted by michaelk
If you ever login and the fingerprints do not match then something could be amiss. Yes the command you posted will display the server's fingerprint and yes it is generated when ssh was installed and should not change.
@RobInRockCity: actually changing the title would invalidate my comment(s) & possibly confuse new readers.
Qns often take on new twists anyway.
However, it's up to the Mods to make that decision.
(Maybe you could add a note to your 1st post ?)
Re cPanel: never used it I'm afraid; I'm a cli guy. Hopefully a cPanel guy will chip in.
Re key locations: its entirely up to you, but in practical terms you'd normally put the pub key on the "server" and the pvt key on the "client".
You'll notice that the actual ssh programs etc installed are different for server and client.
Given that you can scp/sftp in either direction, this is not a problem, but you'd ssh from the client to the server.
I don't think you want to put your private key on a server. Anyone who gets your private key gets everything. That key needs to be guarded, and if it's ever compromised you need to revoke it immediately and generate a new one. If it's on a server, it's compromised.
I don't think you want to put your private key on a server. Anyone who gets your private key gets everything. That key needs to be guarded, and if it's ever compromised you need to revoke it immediately and generate a new one. If it's on a server, it's compromised.
Who said anything about putting the Private Key on the sever?
And could we get back to answering the questions in my OP...
On my cPanel page at the bottom is the note:
You don’t have to import both keys. It is perfectly acceptable to just import a public OR private key if that is all you need on the server.
Q-1: What, if anything, should go in the field above?
The name you want to assign to your private key file if you need to use it on the server. Private keys are stored in separate files while public keys go in a single file i.e authorized_keys
Q-2: What exactly is going on here?
Q-3: What is the purpose of installing my Public-Key onto my server?
How keys work was explained in previous posts.
Q-4: Is this correct?
Yes
Q-5: Is it correct that the (Server) Fingerprint is an "abbreviated" version of the (Server's) Pubic Key?
Yes
Q-6: Is it correct that the (Server) Fingerprint would be created when the server is built/started and remain until it is reset?
Yes
Q-1: What, if anything, should go in the field above?
The name you want to assign to your private key file if you need to use it on the server. Private keys are stored in separate files while public keys go in a single file i.e authorized_keys
Actually that field also applies to the Public-Key in my case.
Quote:
Originally Posted by michaelk
Do you have additional questions?
Sure do!
So I copy the contents of my User Public-Key into cPanel and use Field-1 to give it a name. Then cPanel create a Public-Key on my Server.
Q-7: This new Public-Key on my Server would still be called the User (client) Public-Key, right? (After all, all I did was "share" it with the Server.)
Q-8: It appears that this new Public-Key on the Server is located here: ~/.ssh/id_rsa.pub Correct?
So, now I have the User (client) Private-Key on my local machine, and the User (client) Public-Key on the server located at: ~/.ssh/id_rsa.pub
The User (client) Private-Key and the User (client) Public-Key[/b] form a User (client) Key-pair...
Q-9: What does the User (client) Key-pair allow to happen? Does it allow the Client to speak with the Server? Or does it allow the Server to speak with the Client?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.