ssh-keys concept

SSH-KEYGEN(password less authentication)

ssh-keygen is a Unix utility that is used to generate, manage, and convert authentication keys for ssh authentication. With the help of the ssh-keygen tool, a user can create passphrase keys for both SSH protocol version 1 and version 2. ssh-keygen creates RSA keys for SSH protocol version 1 and RSA or DSA keys for use by SSH protocol version 2. These keys differ from keys used by GNU Privacy Guard.

ssh-keygen command options description
-b bits Specifies the number of bits in the key to create. The minimum bit length is 768 bits and the default length is 2048 bits.
-C comment Provides new comment.
-p Requests changing the passphrase of a private key file instead of creating a new private key.
-t Specifies the type of key to create.
-q quiets ssh-keygen. It is used by the /etc/rc file while creating a new key.
-N Provides a new Passphrase.
-F (or -B) For ssh-keygen2, dumps the key’s fingerprint in Bubble Babble format


For explaining this concept i would like to take two machines

############################################################################

1)[root@machine1 ~]# hostname

   machine1

 [root@machine1 ~]# ip a |grep eth0

   2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen      inet 172.16.28.130/24 brd 172.16.28.255 scope global eth0

###############################################################################

2)[root@machine2 ~]# hostname

   machine2

  [root@machine2 ~]# ip a |grep eth0

  2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen

   inet 172.16.28.131/24 brd 172.16.28.255 scope global eth0

#################################################################################

I will try to connect from machine1 to machine2 with password

[root@machine1 ~]# ssh root@172.16.28.131

The authenticity of host ‘172.16.28.131 (172.16.28.131)’ can’t be established.

RSA key fingerprint is 8d:41:52:a2:0b:c8:d4:b1:ed:82:66:82:f7:b3:0a:3a.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added ‘172.16.28.131’ (RSA) to the list of known hosts.

root@172.16.28.131’s password:

Permission denied, please try again.

root@172.16.28.131’s password:

Last login: Wed Jan 27 19:38:55 2016 from 172.16.28.1

[root@machine2 ~]#

[root@machine1 ~]# cat .ssh/known_hosts

172.16.28.131 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuDFfk7oAW8knlGsJrdd2l11c3vdUFTVfnDtUKTx/eqVghv/tslsvbYYcCQ2Ia7hRUVHQkFU0f79SfhsZ2BBdGRnADIZYcOi9vL4bNt1NSbwhGfGXqV5+4uzuuq59sixEHuz9RFdat0DuH5x36ucqS47gWanhy2clHaTnvDVl6I3IKrAsu1ieDCjn/KT4DE92JXXJxK/d2J+vGpyuDxqavatBPkpWuUr5jNklj2vRsNh2OfmPoGVokZAzSV488kg+qbeKEKYKLt9pJICeIuTzOKlqmh+WvKjGcKE4ypVLg6tEvIjvB9Jrdx86fMPKdTLHo0ZI+e8DkOOFgmytvM756Q==

[root@machine1 ~]# ssh root@172.16.28.131

root@172.16.28.131’s password:

Last login: Wed Jan 27 19:45:32 2016 from 172.16.28.130

By this we can observe that when ever we are trying to connect to any remote server its public key(remote-server) will be copied in the  server at path .ssh/known_hosts(origin-server).If you want clear about please cross verify it.By default it will take Rsa algorithm.But only for the first time it will copy i.e, untill we have its public-key in our known_host file if we remove it while ssh it will agin copy if not present.

###############################################################################

 

[root@machine2 ~]# ls -lh /etc/ssh/
total 156K
-rw——-. 1 root root 123K Jul 17  2015 moduli
-rw-r–r–. 1 root root 2.0K Jul 17  2015 ssh_config
-rw——-. 1 root root 3.8K Jul 17  2015 sshd_config
-rw——-. 1 root root  672 Oct 24 05:53 ssh_host_dsa_key
-rw-r–r–. 1 root root  590 Oct 24 05:53 ssh_host_dsa_key.pub
-rw——-. 1 root root  963 Oct 24 05:53 ssh_host_key
-rw-r–r–. 1 root root  627 Oct 24 05:53 ssh_host_key.pub
-rw——-. 1 root root 1.7K Oct 24 05:53 ssh_host_rsa_key
-rw-r–r–. 1 root root  382 Oct 24 05:53 ssh_host_rsa_key.pub
###############################################################################

[root@machine2 ~]# cat /etc/ssh/ssh_host_rsa_key.pub

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAuDFfk7oAW8knlGsJrdd2l11c3vdUFTVfnDtUKTx/eqVghv/tslsvbYYcCQ2Ia7hRUVHQkFU0f79SfhsZ2BBdGRnADIZYcOi9vL4bNt1NSbwhGfGXqV5+4uzuuq59sixEHuz9RFdat0DuH5x36ucqS47gWanhy2clHaTnvDVl6I3IKrAsu1ieDCjn/KT4DE92JXXJxK/d2J+vGpyuDxqavatBPkpWuUr5jNklj2vRsNh2OfmPoGVokZAzSV488kg+qbeKEKYKLt9pJICeIuTzOKlqmh+WvKjGcKE4ypVLg6tEvIjvB9Jrdx86fMPKdTLHo0ZI+e8DkOOFgmytvM756Q==

[root@machine2 ~]# cat /etc/ssh/ssh_host_dsa_key.pub

ssh-dss AAAAB3NzaC1kc3MAAACBAPJZMQ+5im20mfF+GHJxtTOzCf3+UNYKK+REwW7MflgDmNLPa84rMz3AzhFEwILhTiznvaJ9UnVnPgu3FTMqo19p4W9umwk+6W7K6PP7VFhcNy6cp69LWWRzmL14J09OwH/cHs/yY/gk6RFqRF9xoXMOpdhjYWhKaS9AJ/i5fw4vAAAAFQCQnRYlzRUWz05M9Pac6j9QuNwkGwAAAIEAxp04ACiUKgVrc7fyeBqxXJVH+b/452Ivk6Vu0HBiyOaB0dJu2MpPWk3SsCMvJojExubhaAgytt44fLZ0WbuTAwP7ZHdqFIJGcz2TvbblrznS1WH3+S0v8tCh4nOITcx1g5ExpTrLW+MQIVC5WySn8S1GG03aOW2q/+z3i0k6qIQAAACAQRrJ2nAon0FL2A4reF/pGJY5PHlAZcmSkLdulTf9cg8vMCHLDSToOwchWLqrdz28JBNkjqr54n+UOvHZxccHpYsF9hTJdwufwV5m6ji0IZqtoDb2djyLfa0e1RH7o4PfSChv31Bm/3qCmdBf768knoEAnZoKfnRvddqEoCBP0Zc=

#######################################################################################3

If u want to do password-less authentication try it by generating keys of ur own as fallows.

 

[root@machine1 ~]# ls -lh .ssh/

total 4.0K

-rw-r–r–. 1 root root 395 Jan 27 19:45 known_hosts

 

[root@machine1 ~]# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
b2:c3:b9:6c:f7:72:b8:49:d3:e2:a1:ec:75:a9:ab:3c root@machine1
The key’s randomart image is:
+–[ RSA 2048]—-+
| |
| |
| |
| |
| . S |
| . + . . |
| = *.+ |
| +EB+B. |
| oO+**. |
+—————–+
[root@machine1 ~]# ls -lh .ssh/

total 12K

-rw——-. 1 root root 1.7K Jan 27 20:17 id_rsa

-rw-r–r–. 1 root root  395 Jan 27 20:17 id_rsa.pub

-rw-r–r–. 1 root root  395 Jan 27 19:45 known_hosts

[root@machine1 ~]# cat .ssh/id_rsa.pub

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtYzbQQa7+nIuC7xMDjoPjKMmavbWpS90lAsGwy2E56q4wdPZk/Zw75QshhKRddnELRX6m7JtCy0nOSWg+o33d0ooHbtT1aPokDFi6xkJjOAc96jXsh6P4XzcPqFuWK7YBL3kHNi7HLePtyfZxNBxpIQOz/tBdwQ8M5EUazvZpkWCFA3qxxF+6pyJ+NhwHoxwcIZJWqKeoJbxqHqXIlzh8CnfW7VUJcsVA0nPDdOJ7qV78nMPdxK7dJ1kQCnNAJol45DbdfT/9InGbSNvx9pxykAQMdQXMyoVcsOl+qcCvS23Ipkyj6hVmbePhbNbQwCLShps9HF8xY1tZWSla81qsQ== root@machine1

 

[root@machine1 ~]# cat .ssh/id_rsa

 

—–BEGIN RSA PRIVATE KEY—–
MIIEoQIBAAKCAQEAtYzbQQa7+nIuC7xMDjoPjKMmavbWpS90lAsGwy2E56q4wdPZ
k/Zw75QshhKRddnELRX6m7JtCy0nOSWg+o33d0ooHbtT1aPokDFi6xkJjOAc96jX
sh6P4XzcPqFuWK7YBL3kHNi7HLePtyfZxNBxpIQOz/tBdwQ8M5EUazvZpkWCFA3q
xxF+6pyJ+NhwHoxwcIZJWqKeoJbxqHqXIlzh8CnfW7VUJcsVA0nPDdOJ7qV78nMP
dxK7dJ1kQCnNAJol45DbdfT/9InGbSNvx9pxykAQMdQXMyoVcsOl+qcCvS23Ipky
j6hVmbePhbNbQwCLShps9HF8xY1tZWSla81qsQIBIwKCAQBS/pAdue+IbrX2vHqK
KSuuAXCl7S7sbXcfGvvG8DzBrSFCqf0QcKioCTjs1UnPeX5AfxN6YDHZOTaAhjr2
MkU92MHhtLicLawkqNzDPqVHtuiruuZCzCSEVlYOAKd4/3ixteSfeQUUcSvBcU2b
zQDAPF6K9oRTqiomM7GQG1wuv+ppOP51cmwBhOmiakTbqnZS26kOd2kZnL+wo50l
2WMWIBvXIaK5/Z4ku8Nw1Gt7TAz6v8sZ/NwacRcJ3Y8ezmslwoLwvmtu7sJY+aOZ
dcSbDuTnDRBEm2+qZmngtLOYEURJANXHoxyMZWwBcWqSjWvx2ITunZzDBc+MYKuR
jWuLAoGBAO4hKVdmaFKbBgviyXCzu50zOUPej6CSqiXPyt5J5dRyq+ZGZhOSrsN+
mxtIHNxeJCZBVpTv27juugyA3UN1l3Ts/gDCwMT9pWdSaUR9z70vUcbz2c1zGrIW
Iibxrv+/RaPUwm9znvPorhHrltMYXqq7vKsTiz9eHuXFAb8Ot3JpAoGBAMMst+a/
vuAMQ78CxojKS/BoDIOsbcgl5eiGSdEVq4S9F7wutaycQYeUU/g+5gJyyvlMmO4+
XeEMC/VZt+B3nyaT+VxEk6/0OhX4GBVqWRaHvbSEjbYp+18X4XdtbLohQk3uJO93
VJM966FW9G8KDIRtVB8W7XZ80dGdT28OsJ0JAoGAend0WNWUvMTBR/D54jCMX3lt
6GPU1jzMiHl+Rm8lvbdRF1dnsktv0kEckbAO17tjDFwd5jI2fF2EQPHQ4N1j1bu1
1IFqc/ApLdKciZ/J7EQ4r3YYPcYq/IBpVdthUFO9ajLnpwhDHlpoJnko/tlVQdzk
r8Dohv00dirNsrccg/sCgYAQurCtYOR5mqa4mdaAwOHwCOshOqpS++8ijyrmCSv1
b0stYxbi6NJqtPFBKfZ1PQoVXlZATn0TSizpJPKA9E94VdOLkNl1e1VvmOwfF75+
RiY0C1yaleJYm6WchbjcwQWu6IbSsnT2rYk5tv8CNA+zlFeq5LVEq5z0tbZZ+fHh
kwKBgQDC6dj/Nv5bpIN85FoRpGu+4tsroc6p1IESeZ82cNWawMwJ0let5IUkGRUe
vTjzvd6H0k1y+PmngKFP2Sz3IUexL5d0QOubduFPujyASUeMDXuJeYQdATFDAo+5
o20zn/3l7YWXtiBg7ctCPWXZQShAW20u721TF2T2p85l3Zip1A==
—–END RSA PRIVATE KEY—–

###################################################################

If u place your id_rsa.pub(public-key) in the remote server at path ~/.ssh/authorized_keys you can do password-less authentication to the particular server.

u can do it by two ways

1)login to remote server and create a file  with name authorized_keys at path ~/.ssh.

 touch ~/.ssh/authorized_keys

 copy id_rsa.pub(public-key) from originhost i.e, (machine1) and paste it with out any spaces.

[root@machine2 ~]# ls -lh .ssh/

total 0

[root@machine2 ~]# touch ~/.ssh/authorized_keys

[root@machine2 ~]# ls -lh .ssh/

total 0

-rw-r–r–. 1 root root 0 Jan 27 20:27 authorized_keys

[root@machine2 ~]# vim .ssh/authorized_keys

[root@machine2 ~]# cat ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAtYzbQQa7+nIuC7xMDjoPjKMmavbWpS90lAsGwy2E56q4wdPZk/Zw75QshhKRddnELRX6m7JtCy0nOSWg+o33d0ooHbtT1aPokDFi6xkJjOAc96jXsh6P4XzcPqFuWK7YBL3kHNi7HLePtyfZxNBxpIQOz/tBdwQ8M5EUazvZpkWCFA3qxxF+6pyJ+NhwHoxwcIZJWqKeoJbxqHqXIlzh8CnfW7VUJcsVA0nPDdOJ7qV78nMPdxK7dJ1kQCnNAJol45DbdfT/9InGbSNvx9pxykAQMdQXMyoVcsOl+qcCvS23Ipkyj6hVmbePhbNbQwCLShps9HF8xY1tZWSla81qsQ== root@machine1

 

and try to connect from machine1 two machine2

[root@machine1 ~]# ssh root@172.16.28.131

Last login: Wed Jan 27 19:52:01 2016 from 172.16.28.1

[root@machine2 ~]#

 

you can login to remote machine with out password

 

2)From remote machine try to execute below command which will automatically creates a authorized_keys file and copies id_rsa.pub.(simply)

#############################################################

[root@machine2 ~]# ls -lh .ssh/

total 4.0K

-rw-r–r–. 1 root root 395 Jan 27 20:27 authorized_keys

[root@machine2 ~]# rm -rf .ssh/authorized_keys

[root@machine2 ~]# ls -lh .ssh/

total 0

[root@machine2 ~]#

############################################################

After removing key try to connect it will ask for password

[root@machine1 ~]# ssh root@172.16.28.131

root@172.16.28.131’s password:

======================

[root@machine1 ~]# ssh-copy-id -i ~/.ssh/id_rsa.pub root@172.16.28.131

root@172.16.28.131’s password:

Now try logging into the machine, with “ssh ‘root@172.16.28.131′”, and check in:

 

 .ssh/authorized_keys

 

to make sure we haven’t added extra keys that you weren’t expecting.

##############################################################

[root@machine2 ~]# ls -lh .ssh/

total 4.0K

-rw——-. 1 root root 395 Jan 27 20:36 authorized_keys

###############################################################

[root@machine1 ~]# ssh root@172.16.28.131

Last login: Wed Jan 27 20:30:21 2016 from 172.16.28.130

[root@machine2 ~]#
======================================================

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s