Upload Опубликованный материал нарушает ваши авторские права? Сообщите нам.
Вуз: Предмет: Файл:
Linux Timesaving Techniques For Dummies.pdf
15.98 Mб

Setting Up Public-Key Authentication to Secure SSH 219

Using SSH for Top-Speed Connections

The great thing about SSH is that you get all the security benefits, plus access to a GUI environment with speeds that can’t be matched by the other desktop sharing tools. SSH can compress the bits traveling over the network connection to improve performance. The speed advantage is really evident if you have a low-bandwidth or high-latency connection.

Think of latency as the distance between your computer and the server that you’re connected to. If you’re connected to a computer 10 feet away from you, you probably have a lowlatency connection. If you need to log in to a computer in a foreign land over a satellite connection, all your data travels from your computer, up to the satellite, back down to earth, and then across the rest of the network: That’s a high-latency connection.

Setting Up Public-Key

Authentication to

Secure SSH

When you log in to a typical personal computer, you provide a password. The password authenticates that you are who you claim to be. Anyone who knows your password can fake out a server. Passwords are typically very short and easy to remember; those two qualities make passwords easy to use, but also make them incredibly insecure.

Public-key authentication is an alternative to password authentication. Public-key authentication is very secure, and SSH also makes it convenient. In public-key authentication, each key has two parts — a public key and a private key. You always keep your private key a secret, but you share your public key. The two keys are mathematically related in a way that only Stephen Hawking can understand. A

message encrypted with the public key can be decrypted only with the private key. A message encrypted with the private key can be decrypted only with the public key.

To authenticate a connection by using a public key, the server encrypts a message with your public key and sends the result to your client. The SSH client decrypts the message using your private key and reencrypts it with the server’s public key. In this exchange, you’ve proven you are who you say you are and verified that you’re connected to the proper server.

Public-key authentication is perfect for telecommuters and those doing customer support work because it enables you to easily access computers that you will log in to often. Just copy your public key once, and you’re ready to go.

The public and private keys are stored in the ~/.ssh directory. To set up key authentication with SSH, here’s an overview of what you need to do:

1. Generate the key pair.

2. Give the SSH server a copy of your public key

(but keep your private key to yourself).

You can copy the public key to the server by using a file transfer tool such as scp (secure cp).

3. (Optional) Set up your passphrase so that you don’t have to enter it every time you log in.

Your public/private key pair is generated from a whole mess of random numbers. It’s very unlikely that any two key pairs will be identical. A typical key is at least 128 characters long.

Linux automatically contains everything you need to use public-key authentication, so you don’t have to install any extra software. Yay!

Generating the key pair

To generate your public/private key pair, follow these steps:

220 Technique 33: Securing Your Connections with SSH




Open a command line, type the following command, and press Enter:

$ ssh-keygen -t rsa

You’re prompted to enter a file to save the key in.

Press Enter, and SSH will find a good place for the file.

You’re prompted for a passphrase.

Enter a good password.

Check out the sidebar “Choosing good pass-

Follow the steps shown in Listing 33-1 to transfer your public key to the remote system. After you enter each command, you’re prompted for your password on the remote system.

In the example, substitute your user name on the remote system for freddie, and the name (or IP address) of the remote system for bastille.

Passing on your passphrase

words,” later in this chapter, for some ideas about choosing passwords.

4. Enter the same passphrase again to verify it.

Remember the passphrase; you’ll need it later.

SSH acknowledges that it has created your key pair and displays the filenames where the keys are saved. ssh-keygen also issues a key fingerprint, but you can ignore that for now. To use your key pair with SSH, you need to distribute the public key, which we explain how to do in the next section.

Distributing your public key

Before you can use your key pair to log in to an SSH server, you have to copy your public key into your ~/.ssh directory on the server. The easiest way to get your key to the server is to use the scp command.

Don’t share anything but your public key by e-mail. The private key is always kept private, encrypted on your system.

If you did all that work to avoid typing in a password, why should you have to enter a passphrase instead? The passphrase unlocks your private key for use when you log in to a remote system. Without a passphrase, your private key would be exposed on your local machine for anyone to see.

If you do a lot of work on a remote machine, add the passphrase to your startup procedure and create desktop shortcuts to save you time logging in and out. The following steps explain how to arrange for KDE or GNOME to prompt you for the passphrase when you log in to your desktop environment. See “Creating Shortcuts to Your Favorite SSH Locations” for information about creating desktop shortcuts.

If you’re in an environment where security is crucial, never walk away from your computer without first logging out. A troublemaker who walks up to your unattended computer can impersonate you if you’re logged in. If you follow the steps described in this section, anyone with physical access to your computer can also use your private key while you’re logged in.


$ ssh freddie@bastille “mkdir .ssh” Password:

$ ssh freddie@bastille “cat >> .ssh/authorized_keys2” < .ssh/id_rsa.pub Password:

$ ssh freddie@bastille “chmod 700 .ssh .ssh/authorized_keys2” Password:


Соседние файлы в предмете Операционные системы