vrijdag 15 oktober 2010

Creating an SSH key pair with OpenSSH

Using the OpenSSH program suite, a 2048 bit RSA key pair can be created by

$ ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_rsa
The output will be something similar to:

Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_rsa_repos.
Your public key has been saved in id_rsa_repos.pub.
The key fingerprint is:
5d:0d:2b:c7:44:2c:6c:39:f6:09:9c:55:3e:5f:9b:bf xxx@yyy

The private key
The private key file (called id_rsa_repos in the example above) needs to be kept secret and well-protected by the user who uses it to identify herself. It is handy to store the corresponding public key along with the private key for easy access (e.g. when you have to provide it to a service provider).

Private key files are sensitive

It is recommended (though not strictly required) to protect the private key file with a passphrase. The important point to keep in mind is that whoever manages to get hold of the private key file will be able to access the service protected by the key (e.g. the subversion repository account) with your user privileges, if the private key file is not protected by a passphrase.

Additionally or alternatively the directory containing the private key file can be encrypted. All modern operating systems support transparent directory encryption. How to configure directory encryption depends on your operating system and is beyond the scope of this HOWTO. If unsure, ask your IT support group.


The public key
The public key file is the entity that is exchanged between the user and the service provider (e.g. the subversion administrator in the case where the service provided is access to a subversion repository). If generated via OpenSSH, it usually ends in .pub (see example above) and looks something like:

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEA2KZp+OEKJu4IYC81ydFG4P/tVYJondVrKIEznxonQ8EEhdlY
lhGLHrqcBB+il8lCWVsuHRakTEmuh3v3TAWkFlOhs1oRCkx+
Gc3sXl86H0hj5meCddVjVV+FeVLRtuCahh6H
6pt4USZtK/g+K3p5w5Pyao1B1ZESr1cdqIX30r2Nnj/fCJ54A9TuvNSwRsqISQ/PPmCT00oAHusBtKqU1f6Q
aD3CrtsejHYBYPiomOQRRcRdk0Jyrf/o5sgLs53zLdgw8dn7xuQ14YBQxY9+StqlSuTzyET9EB6CDHsoRbx/L5pXhId/LCrWYk7qsxRrc0xMmTQ7hDgQsy4qwoXtIw== xxx@yyy
Note that the first and second field must not be changed. Only the third field (xxx@yyy) can be changed deliberately, since it is a comment relevant only to the human reader, but irrelevant to the machine.

Fingerprints can help you identifying keys

If you are ever in doubt whether you have the right public key, call

$ ssh-keygen -l -f id_rsa_repos.pub
on the public key file (id_rsa_repos.pub in this example). The output will look something like:

2048 5d:0d:2b:c7:44:2c:6c:39:f6:09:9c:55:3e:5f:9b:bf id_rsa_repos.pub
The first field will show the length of the key (2048 bit in this case), the second field is the fingerprint of the key. The fingerprints of the two keys is what you should compare if you are unsure whether the two keys are the same.

Fingerprints can help you comparing keys

The same trick works on private RSA key files, too. Thus if you want to know whether a private and a public key match, type

$ ssh-keygen -l -f id_rsa_repos ; ssh-keygen -l -f id_rsa_repos.pub
and compare the output.



Public keys can be derived from private keys

If you have lost the public key file but still have the private key file, the public key can easily be reconstructed from the private key file by

$ ssh-keygen -y -f id_rsa_repos

Geen opmerkingen:

Een reactie plaatsen