Both sides previous revision Previous revision Next revision | Previous revision |
tech_notes:ssh [2024-03-09 Sat wk10 10:25] – [ssh-keygen] baumkp | tech_notes:ssh [2024-03-09 Sat wk10 10:45] (current) – [ssh-keygen] baumkp |
---|
{{tag>linux ssh ssh-keygen}} | {{tag>linux ssh ssh-keygen}} |
======ssh with key files====== | ======ssh with key files====== |
| The advantages of using SSH key-based include: |
| *Improved security |
| *Easier access to ssh (if password keys are not used) |
| |
| Clearly use of unique password encrypted keys gives best security. However if a user has access to you terminal and user password they effectively have full system access anyway. |
| |
====ssh-keygen===== | <fc #ff0000>The use of ''sudo'' should not be necessary as the keys created should be user based.</fc> |
The ''sudo ssh-key'' command is used to create ssh key pairs | =====ssh-keygen====== |
| The ''ssh-keygen'' command is used to create ssh key pairs |
| |
++++ssh-keygen| | //Use ''man ssh-keygen'' to see options and description of command.// |
| |
<code> | |
usage: ssh-keygen [-q] [-a rounds] [-b bits] [-C comment] [-f output_keyfile] | |
[-m format] [-N new_passphrase] [-O option] | |
[-t dsa | ecdsa | ecdsa-sk | ed25519 | ed25519-sk | rsa] | |
[-w provider] [-Z cipher] | |
ssh-keygen -p [-a rounds] [-f keyfile] [-m format] [-N new_passphrase] | |
[-P old_passphrase] [-Z cipher] | |
ssh-keygen -i [-f input_keyfile] [-m key_format] | |
ssh-keygen -e [-f input_keyfile] [-m key_format] | |
ssh-keygen -y [-f input_keyfile] | |
ssh-keygen -c [-a rounds] [-C comment] [-f keyfile] [-P passphrase] | |
ssh-keygen -l [-v] [-E fingerprint_hash] [-f input_keyfile] | |
ssh-keygen -B [-f input_keyfile] | |
ssh-keygen -D pkcs11 | |
ssh-keygen -F hostname [-lv] [-f known_hosts_file] | |
ssh-keygen -H [-f known_hosts_file] | |
ssh-keygen -K [-a rounds] [-w provider] | |
ssh-keygen -R hostname [-f known_hosts_file] | |
ssh-keygen -r hostname [-g] [-f input_keyfile] | |
ssh-keygen -M generate [-O option] output_file | |
ssh-keygen -M screen [-f input_file] [-O option] output_file | |
ssh-keygen -I certificate_identity -s ca_key [-hU] [-D pkcs11_provider] | |
[-n principals] [-O option] [-V validity_interval] | |
[-z serial_number] file ... | |
ssh-keygen -L [-f input_keyfile] | |
ssh-keygen -A [-a rounds] [-f prefix_path] | |
ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number] | |
file ... | |
ssh-keygen -Q [-l] -f krl_file [file ...] | |
ssh-keygen -Y find-principals -s signature_file -f allowed_signers_file | |
ssh-keygen -Y match-principals -I signer_identity -f allowed_signers_file | |
ssh-keygen -Y check-novalidate -n namespace -s signature_file | |
ssh-keygen -Y sign -f key_file -n namespace file [-O option] ... | |
ssh-keygen -Y verify -f allowed_signers_file -I signer_identity | |
-n namespace -s signature_file [-r krl_file] [-O option] | |
</code) | |
++++ | |
| |
====ssh-keygen default==== | ====ssh-keygen default==== |
| |
====Warning==== | ====Warning==== |
<fc #ff0000>//**During further SSH key pair generation, if you do not specify a unique file name, you are prompted for permission to overwrite the existing id_rsa and id_rsa.pub files. If you overwrite the existing id_rsa and id_rsa.pub files, you must then replace the old public key with the new one on ALL of the SSH servers that have your old public key. | <fc #ff0000>//During further SSH key pair generation, if you do not specify a unique file name, you are prompted for permission to overwrite the existing id_rsa and id_rsa.pub files. If you overwrite the existing id_rsa and id_rsa.pub files, you must then replace the old public key with the new one on ALL of the SSH servers that have your old public key. |
**//</fc> | //</fc> |
| |
Once you have generated the keys, they are stored in the /user/home/.ssh/ directory with the following permissions: | Once you have generated the keys, they are stored in the /user/home/.ssh/ directory with the following permissions: |
*Public key - 644 | *Public key - 644 |
| |
| =====sharing keys===== |
| Some examples: |
| *''ssh-copy-id -i .ssh/key-with-pass.pub user@destination'' generic example |
| *''ssh-copy-id -i .ssh/id-rsa.pub john.doe@192.168.0.1'' Will copy the default created id_rsa.pub key to IP 192.168.0.1 for user john.doe |
| |
| The remote ssh will ask for remote shell password. |
| |
| //Use ''man ssh--copy-id'' to see options and description of command.// |
| =====references===== |
[[https://www.redhat.com/sysadmin/configure-ssh-keygen|Using ssh-keygen and sharing for key-based authentication in Linux]] | [[https://www.redhat.com/sysadmin/configure-ssh-keygen|Using ssh-keygen and sharing for key-based authentication in Linux]] |
| |
<- tech_notes:git|back ^ tech_notes:index|Start page ^ tech_notes:s6|next-> | <- tech_notes:git|back ^ tech_notes:index|Start page ^ tech_notes:s6|next-> |
| |