It’s well known that passwords, regardless of how complex you make them, are the least desirable form of protection for any computer system. They are usually predictable or generated by ‘pseudo’ random generators. Those generators still follow a specific set of instructions to generate the passwords. Not to mention everyone gets pretty worn out with trying to come up with new and better passwords all of the time. Which is why it is inevitable to default to a password you are comfortable with. One that is tried and true and used for nearly everything you have…
So.. What can we do about that?
The complicated, and undoubtedly the most hated, is two-factor authentication. Often relying on a device in your pocket or being able to receive a text message, an email, or now a push notification to an app on your smart phone. While these methods really are more secure they are also overkill in some situations.
The other option is to generate a public and private key pair. This reduces the effort needed to access a remote system but also comes with it’s own inherent security risks.
What exactly is a public and private key pair? It is a set of files that are generated using a hashing function that produces a public key, for encrypting, and a private key, for decrypting. These two files can be used together to ensure that whatever is encrypted with the public key can only be decrypted with the private key to include an SSH session to another computer.
Think of your home and the lock and key for the front door. The lock contains the public key. It is something that everyone can see and can use to secure the house for you. However, once they engage the lock and close the door, yes.. assuming they actually leave the house, they cannot reopen. The lock now needs the private key to be opened again. It is important to note though, that just as a house key can be duplicated so can your private key. So make sure you keep your key safe.
So lets generate a key pair and see how to use them..
The most common way to do this is like this:
ssh-keygenYep. That’s all. Unless you want something more secure.. like this:
# Still using RSA which is the default, although it is being phased out
ssh-keygen -t rsa -b 4096
# Using ed25519 the hot new thing
ssh-keygen -t ed25519
# If you add -a you can increase the strength of the hash
ssh-keygent -t ed25519 -a 50These will produce a set of files name something like ‘id_rsa’ and ‘id_rsa.pub’ or ‘id_ed25519’ and ‘id_ed25519.pub’.
I’m thinking you can figure out which is public and which is private.
Now that we have the files you will need to place the public key on the host to which you will connect. Typically it should be place at /home/<user>/.ssh/id_ed25519.pub.
It is also recommended to use chmod 0600 id_ed25519.pub to ensure that the file is only readable by the intended user. Most of the time you will get an error if it is not set.
On the host you are connecting from you would place the private key in the same location. SSH knows to look there for both. If it is not there, that is ok. You can use ssh -i <path_to_file> to point it to the right place.
Once the files are placed you can now SSH and not have to use a password and it is a little more secure. This also works with sftp and scp. That is especially useful to automate file transfers. It is possible to reuse the key pair for multiple connections. Just be sure to keep your private key safe.