What are Public and Private Keys?
Public and private keys are a method of user authentication that is prevalent in the field of server administration. They keys themselves are based on a security design referred to as Public Key Cryptography (PKC). Using an analogy related to real keys and door access mechanisms, it is easy to explain PKC at a high level. PKC is based on using special algorithms based on the mathematical concept of logarithms in order to generate two specific keys for a user. The private key is much like the key that you have to a building or a car. This key should belong only to you and can be used anywhere that has a matching keyhole. The public key is like the keyhole, as it can be installed on any door or device that the matching private key should have access to. In terms of server administration, any device that has your public key installed will be able to authenticate you using your private key when you send it.
How to Generate a Public and Private Keypair
Download PuTTYgen (32-bit): https://the.earth.li/~sgtatham/putty/latest/w32/puttygen.exe
Download PuTTYgen (64-bit): https://the.earth.li/~sgtatham/putty/latest/w64/puttygen.exe
To generate a set of RSA keys with PuTTYgen:
- Start the PuTTYgen utility, by double-clicking on its .exe file
- For Type of key to generate, select RSA
- In the Number of bits in a generated key field, specify either 2048 or 4096 (increasing the bits makes it harder to crack the key by brute-force methods. Makes initial auth a bit slower but the difference is honestly negligible)
- Click the Generate button
- Move your mouse pointer around in the blank area of the Key section, below the progress bar (to generate some randomness) until the progress bar is full
- A private/ public key pair has now been generated
- In the Key comment field, enter any comment you'd like, to help you identify this key pair, later (e.g. your e-mail address; home; office; etc.) -- the key comment is particularly useful in the event you end up creating more than one key pair
- Optional: Type a passphrase in the Key passphrase field & re-type the same passphrase in theConfirm passphrase field (if you would like to use your keys for automated processes, however, you should not create a passphrase)
- Click the Save public key button & choose whatever filename you'd like (some users create a folder in their computer named my_keys)
- Click the Save private key button & choose whatever filename you'd like (you can save it in the same location as the public key, but it should be a location that only you can access and that you will NOT lose! If you lose your keys and have disabled username/password logins, you will no longer be able log in!)
- Right-click in the text field labeled Public key for pasting into OpenSSH authorized_keys file and choose Select All
- Right-click again in the same text field and choose Copy
- Now add the public key hash to the authorized key file on the target server (may need to have someone do this for you), restart sshd and you can begin logging into that specific server with keys
NOTE: PuTTY and OpenSSH use different formats for public SSH keys. If the SSH Key you copied starts with "---- BEGIN SSH2 PUBLIC KEY ...", it is in the wrong format. Be sure to follow the instructions carefully. Your key should start with "ssh-rsa AAAA ...."
Linux and Mac Users
Both Linux and macOS come with a package called OpenSSH preinstalled. This allows for easy key generation.
First, open a Terminal
From the terminal, type the following command:
ssh-keygen -t rsa -b 4096 -C "YOUR_EMAIL@singlecomm.com"
Here is an example showing the output from this command for email@example.com:
This will generate a keypair using the RSA algorithm and store it in the default directory. Optionally, a passphrase can be provided, which will encrypt the private key for additional security. After this operation is completed, your key can be found in ~/.ssh and will be sent in any SSH connections that you make by default. The id_rsa file is your private key and should be kept in a safe place. The id_rsa.pub file is your public key and can be given to the SingleComm ops team to be installed on any server that you require access to.
Using an authentication agent (recommended)
Download Pageant (32-bit): https://the.earth.li/~sgtatham/putty/latest/w32/pageant.exe
Download Pageant (64-bit): https://the.earth.li/~sgtatham/putty/latest/w64/pageant.exe
Now that you've created the public/private key pair, you'll want to use an authentication agent to load the key for your SSH sessions.
Now you can launch the agent and then load your key (the program defaults to your icon tray once launched):
The agent has no keys loaded by default (this can be changed with a launch flag on the .exe of pageant...will show how later)
Now hit "Add Key" and browse to the location where you stored the private key that you generated at the beginning and then add it.
Linux and Mac Users
On Linux and Mac, the preinstalled OpenSSH package includes an authentication agent, so no additional configuration is necessary.
Launching an SSH session (with Putty)
Download PuTTY (32-bit): https://the.earth.li/~sgtatham/putty/latest/w32/putty.exe
Download PuTTY (64-bit): https://the.earth.li/~sgtatham/putty/latest/w64/putty.exe
Now that you have your authentication agent setup, you can attempt to SSH into your target.
Windows users need an SSH agent to do this (PUTTY, SecureCRT, SuperPUTTY...it's up to you. I'll use PUTTY for this demo):
PUTTY won't have any "Saved Sessions" to start with (those are some of my personal ones).
You can see multiple radio buttons that serve different connection types (we'll be using SSH here).
Go ahead and enter either the DNS name or direct IP of the server you want to get into.
Then expand the "SSH" tab on the left and the click on the "Auth" option:
Here you can set an option called "Agent forwarding".
This is used when you SSH into a jump box or something along those lines and you want to use the same key pair for each SSH session (PUTTY will just automatically forward the key when you SSH into the other target)
The option for manually entering a private key is only used when you don't have access to an authentication agent.
Now go ahead and hit "Open" to start your SSH session and you should be present with the logon screen for whatever server you logged into (if not, you did something wrong...go through the steps again)
This shows a successful attempt by my user account "ajoda" to log into one of my VM's at home using the public/private key pair "home-jbn-ubtu1".
Boom! You're done. Now you can do this for any server that you need SSH access too.
If you want to save the session so you never have to do this again....just right click on the top of the PUTTY window and hit "change settings".
This will take you to this page:
Enter the name you want for the session and then hit save.
Now when you start PUTTY, you'll see the session in the "Saved sessions" window and you can double-click to launch it right away (as long as you have your private key loaded into your auth agent).
You can also follow the link below to have pageant start on boot and automatically load your key pairs:
This tutorial is pretty straightforward so I'll just leave it at that.
Linux and Mac Users
The preinstalled OpenSSH package can be used to make SSH connections to servers. The command follows this general format:
ssh USER_NAME@SERVER_NAME -p PORT
|USER_NAME||Your username on the server|
|SERVER_NAME||The full DNS name or IP address of the server|
|PORT||The port that the SSH service is listening on|
The following is an example of connecting to cuore-fs21 as the user adamm:
From this point onward, all commands executed will be on the instance you are connected to. To disconnect, simply type "exit".