1

I am trying to learn this instead of just following guides so I can recommend proper actions when people do ask (and they do). Here is what I got down.

First, generate both key with command such as this:

ssh-keygen -b 2048 -t rsa -C comment -f ~/.ssh/id_rsa

Then you push the public part of the key into authorized_keys2 file

cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys2

(and then chmod it to 600 or similar)

And you download the private key to your computer (id_rsa) and feed that in to Putty to be read and authenticate.

Are these the correct steps to setting this public/private key authentication for passwordless login to SSH?

Improve this question
1
  • Hi James, welcome to ServerFault. This site is primarly for questions and answers, not general discussion type posts. As it stands now you aren't really asking a question and your post will probably be closed. If you have a problem with key authentication after following the steps you detailed above, feel free to edit your post and detail the problem/s you are having. Commented Dec 23, 2010 at 4:05

3 Answers 3

Reset to default
4

While the steps you have described will work, there is a problem. You are generating the keypair on the target (remote) computer, and then downloading the private key file to your local system. There are security implications here that you should not overlook:

  • If the remote is already compromised, somebody may have just grabbed your passphrase.
  • If the remote system is compromised in the future, the attacker will have access to your private key file (and the luxury of using an offline brute-force attack to attempt to decrypt it).

Since you're using ssh key pairs to (try to) solve some of the problems inherent in password authentication, you usually want to do things this way:

  • Generate the keypair on your local system. Ideally, the private key will (a) never be stored on a shared filesystem (e.g., NFS home directory), and (b) will never be stored on a computer that allows remote logins.

  • Publish the public key far and wide. I keep my public key(s) on a web site so I can grab them whenever I need them. Put the public key in the appropriate authorized_keys files on systems to which you'll be connecting.

If you're especially paranoid, you can store your private key on a thumb drive, and only use the drive to load the key into a running ssh-agent. At this point, you don't need the actual key file anymore.

Improve this answer
1
  • Ah -- thank you a lot, I understand the process a lot better, shame the guide for my webhost says to do it on-server and only download the private key. Commented Dec 23, 2010 at 4:10
2

It may be better to generate the key on the client system(s). You may end up with a larger authorized_keys file, but it is easier to disable a compromised system. If you migrate the server's private key, you will need to regenerate and migrate the key to all the client systems. Each client should have it's own key.

Putty uses puttygen to generate the key. puttygen will also provide the public key in the correct format for pasting into the client system. It is best to protect the key with a passphrase if it is being used for login access. Pageant or ssh-agent can be used to hold the unprotected key in memory so that the passphrase does not need to be reentered on each connection.

Once you have added one key and set the protection, you can add additional keys with needing to reset the permissions. I usually upload the public key from the system with a name like example.pub where example is the name of the system the key belongs to.

Many implementations have returned to using authorized_keys as the key file. This file can be used to restrict the system the key will be accepted from, force a command to be run, limit access, and other things. View the man page for more details.

In some cases, it may be useful to have multiple keys on client system. This can be done to support batch processes which run with keys which don't have a password.

Improve this answer
1
  • Thank you for explaining about puttygen, I believe I have got this thing down, I will definitely read some more official materials on SSH to understand the process better. Commented Dec 23, 2010 at 4:11
1

That looks good. Many people would do it in the opposite direction (generate the key locally, then push your .pub up to the server), but either can work.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.