SSH key-based authentication is a robust security solution every Linux and IT professional should have in their toolkit. Far superior to basic passwords, SSH keys enable you to securely access both Linux servers and workstations without the hassles of typed credentials.
In this comprehensive 2600+ word guide, we will cover all facets of working with SSH keys from a seasoned admin‘s perspective. Whether you are looking to step up security across your server fleet, or streamline accessing devices as a power user – leveraging SSH keys is a must.
How Secure Shell Encryption Works
To fully utilize the power of SSH keys, you need to understand the encryption algorithms that drive secure shell in the first place. The SSH protocol utilizes asymmetric public key cryptography to authenticate and encrypt connections.
There have been two main iterations of the SSH protocol, version 1 and the current version 2. SSHv1 had several security vulnerabilities that are addressed in SSHv2.
As such, you should always use SSHv2 which delivers confidentiality, integrity, and authentication with strong encryption protocols like AES, RSA, and diffie-hellman-group-exchange-sha1.
Here is a simplified explanation of the SSH encryption handshake:
- The client begins by establishing a TCP connection to the remote server on port 22
- An initial key exchange uses diffie-hellman-group to securely exchange a symmetric session key. This prevents eavesdroppers from obtaining enough info to derive the key.
- The server and client then use the shared symmetric key to encrypt further communications with a cipher like AES.
- The server sends its public host key back to the client. At this point, a man-in-the-middle attack would be detected as the client compares the server‘s public key against previously known values from its ~/.ssh/known_hosts file.
- Authentication begins – the client will either present a password, SSH key, or other credential to verify its identity.
- A secure encrypted tunnel enabling data transfer and remote command execution is now active.
So in summary, SSH provides fully encrypted transmissions between devices secured by encryption key exchange, server validation, and user authentication. Let‘s look at handling user authentication using asymmetric SSH keys.
Generating Your SSH Key Pair
The ssh-keygen command handles all SSH key pair generation and management under the hood. When generating a new SSH key, you will be prompted for the type of key, the file path to store it, and an optional passphrase to further secure it.
The SSH protocol supports several asymmetric public key algorithms for authentication including:
- RSA – The most widely adopted SSH key type, with a minimum key size of 1024 bits. Key sizes below 2048 bits are considered breakable by today‘s hardware.
- Ed25519 – Newer algorithm using Edwards-curve Digital Signature Algorithm (EdDSA). Fixes weaknesses in ECDSA with faster performance.
- ECDSA – Elliptic Curve Digital Signature Algorithm keys. Slower than RSA but smaller in size.
Here is how you would generate a secure 4096 bit RSA key for example:
ssh-keygen -t rsa -b 4096I recommend going with Ed25519 or using a 4096+ bit RSA key these days for longevity and performance.
The ssh-keygen utility will handle the computational generation of your private + public key pair, which gets written to your ~/.ssh directory by default.
Managing SSH Keys Effectively
Once you have an SSH key pair established, there are a variety of helpful commands and tools for managing keys effectively:
Viewing your public key
cat ~/.ssh/id_rsa.pubListing fingerprints of all available keys
ssh-keygen -E md5 -lf ~/.ssh/id_rsaConvert legacy SSHv1 key to SSHv2 format
ssh-keygen -p -f ~/.ssh/id_dsaDecode your private key file
ssh-keygen -e -m PEM -f ~/.ssh/id_ed25519These are just a sampling of day-to-day key operations – ssh-keygen contains a wealth of options. Now let‘s get your public key installed on a server!
Deploying Your Public SSH Key
The most common activity around SSH keys is installing your public key on remote servers to enable passwordless logins. This consists of several simple steps:
- Copy your public key from ~/.ssh/id_rsa.pub
- SSH into the remote host using existing credentials
- Paste your public key into ~/.ssh/authorized_keys
- Set proper permissions on ~/.ssh and ~/.ssh/authorized_keys
The permissions piece is critical – ~/.ssh should be 700 and authorized_keys should be 600. Getting the permissions wrong is the #1 cause of keys not working!
Here is an example public key installation using ssh-copy-id which handles the file permissions automatically:
ssh-copy-id -i ~/.ssh/mykey user@hostNow test logging into the remote host directly with your private key. No password should be prompted for if your key was installed correctly!
Streamlining SSH Sessions with Config
Frequently accessing the same SSH servers? You can simplify connections by leveraging SSH client config files.
Just edit (or create) ~/.ssh/config with entries like:
Host webhost
Hostname 172.16.12.45
User admin
Port 2222
Host workstation
User myname
IdentityFile ~/.ssh/id_ed25519
LocalForward 9000 127.0.0.1:80Now you can simply run ssh webhost or ssh workstation without repeatedly specifying lots of parameters. The config file supports all sorts of shortcuts.
Hardening SSH Daemons
While SSH enables secure encrypted connections, the SSH server daemon itself must be properly hardened against real-world attacks:
- Upgrade to SSH v2 immediately if still running outdated v1 instances
- Disable root login via SSH by setting PermitRootLogin no
- Limit ciphers to only strong modern algorithms accepted
- Set AllowUsers or AllowGroups to restrict accounts permitted SSH access
You can also integrate active monitoring and intrusion protection like Fail2Ban. This scans logs for signs of brute force attacks, blocking repeated offenders.
Going Above and Beyond with SSH Certificates
While traditional SSH public key authentication is commonplace, more complex environments can benefit from SSH certificates. These provide additional encryption and central management lacking in regular keys.
In short, SSH certificate authority signs user keys enabling trust confirmation. Admins can maintain lists of revoked keys for immediate denial of access. More advanced policy options also become possible.
Key Best Practices for SSH Security
Given everything we have covered about SSH, keys, encryption, and hardening – here are some concise best practices for robust security:
- Enforce key-based SSH authentication everywhere, eliminate password logins
- Generate new strong key pairs regularly, phase out weaker legacy keys
- Add passphrases to all keys for an extra layer of protection
- Follow strict permissions and ownership on ~/.ssh and authorized_keys
- Use ssh-agent and ssh-add to cache decrypted keys when possible
- Disable unused encryption algorithms and port forwardings in SSH daemon
- Monitor logs, utilize automatic blocking protections like fail2ban
- Revoke keys immediately upon suspicion of compromise
Sticking to these principles will keep yourSSH hardened against exploits while taking advantage of smoother key-based logins.
Wrapping Up SSH Keys
I hope this guide has given you a comprehensive breakdown of SSH keys – from encryption internals through to deployment, security and beyond. SSH remains a foundational protocol for remote access and automation in 2024.
Leveraging asymmetric key pairs leaves passwords in the dust by every measurable security standard. Yet keys remain lightweight and simple to adopt once you grasp the basics.
Now you have the insider expertise to wield SSH and key-based authentication like a pro! The concepts presented here will serve any Linux system administrator, DevOps engineer, site reliability guru or IT generalist for years to come.
