SSH/Public Key Cryptography
SSH is Secure SHell. It’s a network protocol for encrypted communication between two computers. In plain English, that means that you can use SSH to access a secure, encrypted command line on a computer that you don’t happen to be sitting in front of. For more details, try Wikipedia’s article on Secure Shell.
SSH is a command line tool, but you can use it to copy files between two servers, send updates to a version control system like git or Subversion. However, system administrators and other command line cowboys will, ever so very rarely ask you for your “SSH key” or insist that they only use “key based authentication” or “public key cryptography”.
Most people know they’re using bad passwords every day. There are lots of good reasons why experts prefer key based authentication to passwords, but one of the best is that strong keys are easier to use than strong passwords.
Password strength, by xkcd
Key based authentication also makes it much easier for multiple people to access to a single server: you can authorize many keys to access a particular account. No more sharing passwords.
Each person generates a pair of keys. Windows users will want PuTTY. Mac and Linux users can pull up a console window (in Mac OSX, find it under Utilities > Terminal) and generate a key pair with a few short commands.
Once you’ve created the keys, one of them — the private key — stays on your computer. You don’t share it with anyone, ever. The second, your public key, you do share. You add your public key to a file on the server called .ssh/authorized_keys. When you try to access the server, SSH will send your private key to the server in lieu of a password. As long as your public key--the other half of your key pair--is listed in the authorized keys file, you'll be able to connect.
This is infinitely more secure than sharing the same password between everyone who needs access to the server and far, far easier than memorizing truly random 650 character password.
If you’re really new to using the terminal, Git Hub’s help pages have a great overview to help you get started. Placeblogger’s Lisa Williams also maintains a pretty good resource sheet for folks who are just learning to deal with a terminal.
Step 1: Make sure you don’t already have a key pair set up
In your terminal window, type:
$ ls ~/.ssh
This will list the contents of the .ssh folder in your home directory. If the response you get is something along the lines of "ls: cannot access .ssh: No such file or directory" you're ready for step two. If you see a list of file names that includes perhaps one called "id_dsa" (or "id_rsa") and one called "id_dsa.pub" (or "id_rsa.pub"), you might not need to make new keys. If you honestly have no idea where those keys came from, you're probably better off starting fresh.
/home/amanda/.ssh
(“dsa” and “rsa” are two common methods for creating public keys.)
Next, type:
$ mkdir ssh_bak
This will create a new directory called “ssh_bak” that you can backup your keys to. Follow this with:
$ mv ~/.ssh/id_* ~/ssh_bak/
This will move any file with a name starting with “id_” into the backup directory you just created. (For more on the asterisk (*) check out: wildcard).
Step 2: Generate a new SSH key
The program that generates SSH keys is called ssh-keygen:
$ ssh-keygen -t rsa -C "your_email@youremail.com"
You should see a message like “Generating public/private key pair.” while your computer works, followed by a prompt asking you to provide a file to save the key to. The filename provided in parentheses (probably something like “(/home/sometheing/.ssh/id_rsa)”) is the default — just hit return to except the default value. Your next prompt will be for a passphrase. Make it a pretty good one but keep track of it. You won’t see anything on the screen as you’re typing your passphrase. That’s okay. Just type it and hit return when you’re done.
You can see your new keys by opening them in a text editor or with a command line tool like cat or less:
$ less .ssh/id_rsa
$ less .ssh/id_rsa.pub
Step 3: Put your key on the server
If you’re lucky, you can just give a copy of id_rsa.pub to your server administrator, who can append it to .ssh/authorized_keys for you. If you aren't quite so lucky, sit tight, and we'll cover the vi editor in a future post.
Do I still need a password?
You can (and should) password protect your private key. Github has nice instructions for doing that. If you do, you’ll be prompted to enter your passphrase whenever you use your key.
Key-based SSH authentication is just one of many ways you can use public key cryptography — PGP and SSL are two others, but there are many more.
