Difference between revisions of "Making an ssh key"

From PrgmrWiki
(Using the Native Win 10 SSH Client)
 
(21 intermediate revisions by 4 users not shown)
Line 1: Line 1:
The most popular ssh programs are [http://www.openssh.org OpenSSH] for unix and [http://www.chiark.greenend.org.uk/~sgtatham/putty/ PuTTY] for Windows.
+
Programs have different options for the ssh public key format. We use the OpenSSH key format. It is safe to share your public key with anyone. Never share your private key!
  
Some other programs are SecureCRT and xshell.
+
__TOC__
* [http://www.netsarang.com/tutorial/xshell/1005/Public_Key_User_Authentication tutorial on making keys in xshell]
 
* [http://www.ipsure.com/blog/2010/ssh-public-key-w-rsa-authentication-and-ssh-tunneling-part-1/ tutorial on making keys in SecureCRT]
 
  
== OpenSSH ==
+
== OpenSSH (Linux, Windows) and Terminal (OS X) ==
 +
Prgmr.com supports several SSH key algorithms. In order from the most to least-widely supported:
 +
 
 +
<li> RSA: The oldest and most widely supported SSH algorithm. We recommend a key size of 4096 bits. All SSH clients support RSA, and it is the most generally useful algorithm.</li>
 +
<li> ECDSA: We recommend always using it with 521 bits (that's not a typo!). Most SSH clients now support this algorithm.</li>
 +
<li> ED25519: This is a relatively new algorithm in OpenSSH. It is not as widely supported as RSA and ECDSA. However we do support it, and it is highly secure. </li>
 +
<ol>
 +
 
 +
=== Linux Installation Instructions ===
 +
If openssh is not already installed, on Debian/Ubuntu try <pre>aptitude install openssh-client</pre>or on Redhat/CentOS<pre>yum install openssh-clients</pre> or download the portable source from [http://www.openssh.org/portable.html openssh.org] and compile it. When OpenSSH is setup you can generate a key and try to login.
 +
=== Windows Installation Instructions ===
 +
Windows 10 comes with OpenSSH installed by default. On older Windows versions, install cygwin from https://cygwin.com and select the openssh package.
 +
 
 +
=== OS X Installation Instructions ===
 +
Terminal comes installed with OS X.
 +
 
 +
== Key Generation ==
 +
Check for existing keys before beginning:
 +
<pre>
 +
ls -la ~/.ssh
 +
</pre>
 +
If there is no key you already want to use, generate a new key as shown in the following sections.
 +
 
 +
=== Generating an SSH Key in Windows ===
 +
Windows 10 has an OpenSSH client (ssh-keygen) installed by default. We recommend using this tool if possible. However if not then see instructions for PuTTY below.
 +
 
 +
==== Using the Native Win 10 SSH Client ====  
 
<ol>
 
<ol>
<li>If openssh is not already installed, on Debian/Ubuntu try <pre>aptitude install openssh-client</pre>or Redhat/CentOS on<pre>yum install openssh-clients</pre> or download the portable source from [http://www.openssh.org/portable.html openssh.org] and compile it. When OpenSSH is setup you can generate a key and try to login.</li>
+
<li> First, verify that the Windows SSH client is installed on your computer. Press the Windows logo key on your keyboard or click on the Start Menu. Type <code>cmd</code>. Right-click on the Windows Command Prompt and select <code>Run as administrator</code>.</li>
<li><pre>
+
<li> In the command line, type <code>ssh</code> and Enter. If the client is installed, then Windows will return a short summary of command-line options.</li>
$ ssh-keygen
+
<li> In the command line, enter <code>ssh-keygen</code> to use the default values (Algorithm RSA, keysize 2048 bits). To select a different algorithm and keysize, use the -t and -b options, as shown below.
 +
<ul>
 +
<li> <code>ssh-keygen -t rsa -b 4096</code></li>
 +
<li> <code>ssh-keygen -t ecdsa -b 521</code></li>
 +
<li> <code>ssh-keygen -t ed25519</code></li>
 +
</ul>
 +
<li> In all cases, Windows will return a default directory and filename under which to save the private key. If you wish to use a different name and path then enter it with the -f <filename> option, as in <code>ssh-keygen -f ~/<filename> -t ed25519</code>. (This example uses the tilde (~) notation for your Windows home directory.)</li>
 +
<li> Windows then requires a password or passphrase to encrypt the keys. Use a strong password for this.
 +
</ol>
 +
 
 +
Once all the required information is entered, Windows will return the location of your public and private keys, the key hash, and other information.
 +
<pre>
 +
$ ssh-keygen -t rsa -b 4096
 
Generating public/private rsa key pair.
 
Generating public/private rsa key pair.
Enter file in which to save the key (/home/nick/.ssh/id_rsa): /home/nick/thesshkey
+
Enter file in which to save the key (/home/<user>/.ssh/id_rsa): /home/<user./.ssh/<keyname>
 
Enter passphrase (empty for no passphrase):  
 
Enter passphrase (empty for no passphrase):  
 
Enter same passphrase again:  
 
Enter same passphrase again:  
Your identification has been saved in /home/nick/thesshkey.
+
Your identification has been saved in /home/<user>/.ssh/<keyname>.
Your public key has been saved in /home/nick/thesshkey.pub.
+
Your public key has been saved in /home/<user>/.ssh/<keyname>.pub.
 
The key fingerprint is:
 
The key fingerprint is:
20:78:b9:01:15:3a:43:60:7b:7b:55:b3:7f:3b:a5:20 nick@theclient
+
20:78:b9:01:15:3a:43:60:7b:7b:55:b3:7f:3b:a5:20  
 
The key's randomart image is:
 
The key's randomart image is:
+--[ RSA 2048]----+
+
+--[ RSA 4096]----+
 
|.oo.o.  o      |
 
|.oo.o.  o      |
 
|...+ .  . o      |
 
|...+ .  . o      |
Line 30: Line 66:
 
+-----------------+
 
+-----------------+
 
</pre>
 
</pre>
If you use the default key filename /home/nick/.ssh/id_rsa ssh will try to use it automatically.
+
 
</li>
+
=== Installing PuTTY ===
<li>Email the public key (in this case /home/nick/thesshkey.pub) to support@prgmr.com with your username and other information.</li>
+
Download the [http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html PuTTY installer] and install it. These are the [http://www.chiark.greenend.org.uk/~sgtatham/putty/keys.html keys] for verifying the signature.
<li>Once your account is setup with the public key, login to the server with your private key:<pre>
+
==== Key Generation with PuTTY ====
nick@theclient:~/prgmr$ ssh -i /home/nick/thesshkey asdfasdf@theserver
+
<ol>
</pre></li></ol>
+
<li> Run PuTTYgen </li>
== PuTTY ==
+
<li> Click "Generate" to generate a key</li>
# Download the [http://the.earth.li/~sgtatham/putty/latest/x86/putty-0.60-installer.exe PuTTY installer] and install it.
+
<li> Enter a passphrase for the private key.</li>
# Run PuTTYgen: [[Image:startmenu.jpeg]]
+
<li> Save the private key.</li>
# Generate a key: [[Image:generate.jpeg]]
+
<li> Copy/paste the "OpenSSH authorized_keys" text to a separate public key file. The contents of this file (typically starting with ssh-rsa or ssh-dss) is what you need to use when either signing up or changing the key for a VM.</li>
# Enter a passphrase for the private key.
+
</ol>
# Save the public and private key files [[Image:savekeys.jpeg]]
+
The config settings to access the management console are at [[Management Console#Logging in via PuTTY]]
# Email the public key file to support@prgmr.com.
+
 
# Set the private key file in PuTTY (run PuTTY from the start menu instead of PuTTYgen)[[Image:puttyprivatekey.jpeg]]
+
== Commercial SSH Clients ==
# Then save the setting to the Default Settings or a new profile under Saved Sessions and enter a hostname or username@hostname. [[Image:theserver.jpeg]]
+
These are links to tutorials for the given client. We do not have personal experience with any of these clients.
# Press open to connect to the server.
+
* [http://www.netsarang.com/tutorial/xshell/1005/Public_Key_User_Authentication xshell (Windows Only)] - use OpenSSH key format
{{u}}
+
* [https://www.vandyke.com/support/tips/publickeyauth.html SecureCRT (Windows, OS X, and Linux)] - use OpenSSH key format

Latest revision as of 21:53, 30 August 2020

Programs have different options for the ssh public key format. We use the OpenSSH key format. It is safe to share your public key with anyone. Never share your private key!

OpenSSH (Linux, Windows) and Terminal (OS X)

Prgmr.com supports several SSH key algorithms. In order from the most to least-widely supported:

  • RSA: The oldest and most widely supported SSH algorithm. We recommend a key size of 4096 bits. All SSH clients support RSA, and it is the most generally useful algorithm.
  • ECDSA: We recommend always using it with 521 bits (that's not a typo!). Most SSH clients now support this algorithm.
  • ED25519: This is a relatively new algorithm in OpenSSH. It is not as widely supported as RSA and ECDSA. However we do support it, and it is highly secure.
    1. Linux Installation Instructions

      If openssh is not already installed, on Debian/Ubuntu try
      aptitude install openssh-client
      or on Redhat/CentOS
      yum install openssh-clients
      or download the portable source from openssh.org and compile it. When OpenSSH is setup you can generate a key and try to login.

      Windows Installation Instructions

      Windows 10 comes with OpenSSH installed by default. On older Windows versions, install cygwin from https://cygwin.com and select the openssh package.

      OS X Installation Instructions

      Terminal comes installed with OS X.

      Key Generation

      Check for existing keys before beginning:

      ls -la ~/.ssh
      

      If there is no key you already want to use, generate a new key as shown in the following sections.

      Generating an SSH Key in Windows

      Windows 10 has an OpenSSH client (ssh-keygen) installed by default. We recommend using this tool if possible. However if not then see instructions for PuTTY below.

      Using the Native Win 10 SSH Client

      1. First, verify that the Windows SSH client is installed on your computer. Press the Windows logo key on your keyboard or click on the Start Menu. Type cmd. Right-click on the Windows Command Prompt and select Run as administrator.
      2. In the command line, type ssh and Enter. If the client is installed, then Windows will return a short summary of command-line options.
      3. In the command line, enter ssh-keygen to use the default values (Algorithm RSA, keysize 2048 bits). To select a different algorithm and keysize, use the -t and -b options, as shown below.
        • ssh-keygen -t rsa -b 4096
        • ssh-keygen -t ecdsa -b 521
        • ssh-keygen -t ed25519
      4. In all cases, Windows will return a default directory and filename under which to save the private key. If you wish to use a different name and path then enter it with the -f <filename> option, as in ssh-keygen -f ~/<filename> -t ed25519. (This example uses the tilde (~) notation for your Windows home directory.)
      5. Windows then requires a password or passphrase to encrypt the keys. Use a strong password for this.

      Once all the required information is entered, Windows will return the location of your public and private keys, the key hash, and other information.

      $ ssh-keygen -t rsa -b 4096
      Generating public/private rsa key pair.
      Enter file in which to save the key (/home/<user>/.ssh/id_rsa): /home/<user./.ssh/<keyname>
      Enter passphrase (empty for no passphrase): 
      Enter same passphrase again: 
      Your identification has been saved in /home/<user>/.ssh/<keyname>.
      Your public key has been saved in /home/<user>/.ssh/<keyname>.pub.
      The key fingerprint is:
      20:78:b9:01:15:3a:43:60:7b:7b:55:b3:7f:3b:a5:20 
      The key's randomart image is:
      +--[ RSA 4096]----+
      |.oo.o.   o       |
      |...+ .  . o      |
      | .=.= .. .       |
      |  .+.+..  .      |
      |   ...  SE o . . |
      |    .     . o +  |
      |             +   |
      |              .  |
      +-----------------+
      

      Installing PuTTY

      Download the PuTTY installer and install it. These are the keys for verifying the signature.

      Key Generation with PuTTY

      1. Run PuTTYgen
      2. Click "Generate" to generate a key
      3. Enter a passphrase for the private key.
      4. Save the private key.
      5. Copy/paste the "OpenSSH authorized_keys" text to a separate public key file. The contents of this file (typically starting with ssh-rsa or ssh-dss) is what you need to use when either signing up or changing the key for a VM.

      The config settings to access the management console are at Management Console#Logging in via PuTTY

      Commercial SSH Clients

      These are links to tutorials for the given client. We do not have personal experience with any of these clients.