- Debian Generate Ssh Private Keys
- Ssh Keygen Generate Public Key From Private
- Debian Generate Ssh Private Key Location
Translation(s): Deutsch - English - Français - Italiano - Español - Português Brasileiro
I have two servers. Both servers are in CentOS 5.6. I want to SSH from Server 1 to Server 2 using a private key I have (OpenSSH SSH-2 Private Key). I don't know how to do it over unix. But what I did on windows using Putty was to feed my OpenSSH private key to putty-gen and generate a private key in PPK format.
Contents
- Installation
- Configuration files
- Remote login
- Keys management
- Securing
- SSH Server
- SSH Client
- Additional Functions
- Additional Commands
- sftp
- Troubleshooting
- SSH hangs
- Keep SSH connection alive
ToDo: merge (and translate) this page and the french one (more complete)
Introduction
SSH stands for Secure Shell and is a protocol for secure remote login and other secure network services over an insecure network1. See Wikipedia - Secure Shell for more general information and ssh, lsh-client or dropbear for the SSH software implementations out of which OpenSSH is the most popular and most widely used2. SSH replaces the unencrypted telnet,rlogin and rsh and adds many features.
In this document we'll be using the OpenSSH command suite, it will also be assumed that the following two variables are defined:
So, if you want to use the recipes below, first set these variables to the remote computer name and the user name on that remote computer. Then cut and paste of the commands below should work. remote_host may also be an IP-address.
Installation
Installation of the client
Normally the client is installed by default. If not it suffices to run as root:
Installation of the server
The server allows to connect remotely and gets installed by running as root:
Configuration files
The main configuration files are in the directory /etc/ssh :
- ssh_config : client configuration file
- sshd_config : server configuration file
In addition this directory contains the private/public key pairs identifying your host :
- ssh_host_dsa_key
- ssh_host_dsa_key.pub
- ssh_host_rsa_key
- ssh_host_rsa_key.pub
Since OpenSSH 5.73, a new private/public key pair is available:
- ssh_host_ecdsa_key
- ssh_host_ecdsa_key.pub
Since OpenSSH 6.54, a new private/public key pair is available:
- ssh_host_ed25519_key
- ssh_host_ed25519_key.pub
Regenerating host keys
Remote login
With password
If you want to login to $remote_host as user $remote_user simply type
and then type in your password.
If the usernames on the local and the remote computer are identical, you can drop the $remote_user@-part and simply write
If this is the first time you login to the remote computer, ssh will ask you whether you are sure you want to connect to the remote computer. Answer 'yes' after you verified the remote computer's fingerprint, type in your password, and ssh will connect you to the remote host.
Using shared keys
One of the functions of ssh is using a pair of private/public keys to connect to a remote host. Also known as SSH keys. This method allows you to login to a remote host without typing your password every time. To do this you must generate a pair of private/public keys on your local machine and deposit the public key on the remote host.
Debian Generate Ssh Private Keys
To generate the key, use the program ssh-keygen as follows
This program generates a pair of private/public keys in the directory ~/.ssh. The program first asks for the destination files for the keys, by default located in ~/.ssh. Afterwards a passphrase is requested.
Note: We recommend not to leave the passphrase empty. An attacker who gets hold of your private key can otherwise connect to the hosts where you deposited you public key since the passphrase is empty. Choose a long and complex passphrase.
Your private key is id_rsa (don't give it to someone else), your public key is id_rsa.pub.
You copy your public key to a remote host with the command ssh-copy-id
Now you can connect simply to the remote host and the passphase is asked for. Once done, you get connected to the remote host. In case of a new connection the passphrase does not get asked for again during your entire session.
Keys management
Using GUI
Optionally, seahorse is a GNOME application which easily manage encryption keys and passwords through an intuitive Graphical User Interface (GUI). Seahorse is able to do various operations. Such as create SSH or PGP keys, configure them, and cache them. Read more.
Securing
SSH Server
By default a SSH server is relatively secure. With the help of some good practices, configuration options, and external utilities it is possible to make it even harder for 'robots' and crackers
Good practices with SSH Server
- Apply openssh-server security updates as soon as possible. Which allows to protect against known security holes.
- Activate SSH keys authentication only with passwords/passphrases. Deactivate password only authentication.
- Consider using fail2ban which is a log file monitor that automatically bans an IP address after a predefined number of failed login attempts. Which automatically guards against brute-force attacks.
- More good practices for using ssh at https://lackof.org/taggart/hacking/ssh/
Configuration Options
One should edit the file /etc/ssh/sshd_config to change the parameters and then restart the ssh server with
- Deactivate using passwords for authentication (PasswordAuthentication no).
- Deactivate using the root account (PermitRootLogin no).
- Only allow login by certain users or groups (AllowUsers and AllowGroups)
The options AllowUsers and AllowGroups do not improve the security of a SSH server. But in certain cases their use allows to resist a brute force attack a little longer.
External Utilities
- fail2ban : allows to automatically blacklist IPs attempting to brute force a SSH server with the help of iptables.
- denyhosts : as fail2ban, denyhosts allows to block IP addresses trying to brute force a connection to ssh. But in contrast to fail2ban it does not use iptables, but the file /etc/hosts.deny.
SSH Client
Good practices with SSH Client
- Apply openssh-client security updates as soon as possible. Which allows to protect against known security holes.
- Use SSH keys authentication. Rather than password authentication.
- Add strong passwords/passphrases to your SSH keys. This reduce risk of brute-force attacks.
Additional Functions
View files in GUI
In file managers like Konqueror, Dolphin, Krusader and Midnight Commander you can use FISH to view files in a GUI using:
Additional Commands
scp
scp is a command line utility allowing to transfer files between two machines.
- Sending a file:
- Copying a file to the local machine:
sftp
[empty for now]
text mode
[empty for now]
graphical mode
[empty for now]
clusterssh
[empty for now]
ssh-agent and ssh-add
ssh-agent is a useful utility to manage private keys and their passphrases. Most desktop environments in Debian will already be setup to run ssh-agent (through systemd user services or /etc/X11/Xsession), so you shouldn't need to start it manually.
You will still need to tell the agent to manage your keys.
When a private key is first needed, you are prompted for its passphrase. ssh-agent will then remember the key so that your passphrase doesn't get asked anymore.
keychain
Keychain, provided by the package keychain, is a shell script allowing to use the ssh agent in multiple sessions of the same computer. In effect after the first start ssh-agent creates a permanent socket allowing the communication with ssh. This socket is referenced only in the environment of the session in which the agent was started. Keychain allows to detect the agent and propagate the access to this agent to other sessions; this allows to use a single instance of ssh-agent per user on a machine.
ssh-askpass
ssh-askpass is an utility to simply the question for the password of a private key when using it. Several implementations exist:
- x11-ssh-askpass : version for X11
- kaskpass : integration of ssh-askpass into the KDE environment
- ssh-askpass-gnome : integration of ssh-askpass into the Gnome environment
libpam-usb
libpam-usb is an utility (only available up to Debian Jessie) allowing authentication with an USB stick. This package includes a useful utilty : pamusb-agent. This utility, once correctly configured, allows to load the SSH keys present on the USB stick once it is connected and to unload them when it is disconnected.
Remote commands
Ssh Keygen Generate Public Key From Private
If you just want to run one command on the remote computer, you don't need to login. You can tell ssh to run the command without login, for instance,
lists all files with extension .txt on the remote computer. This works with single tick quotes '...' as shown here, with double tick quotes '...', and without quotes. There may be differences between these three cases, though, not yet documented here.
SSH into Debian from another OS
- PuTTY is a terminal emulator application which can act as a client for ssh. It's widely used by Windows users.
- Wikipedia has Comparison_of_SSH_clients
Good practices of SSH usage
You must read this: https://lackof.org/taggart/hacking/ssh/
This document sums up many good practices that regular SSH users should follow in order to avoid compromising the security of their accounts (and of the whole machine at the same time).
Configure your ~/.ssh/config to send only the right key.
Troubleshooting
OpenSSL version mismatch. Built against 1000105f, you have 10001060
If you get an error message like this when starting the ssh daemon, you need to run:
Also see bug #732940.
SSH hangs
Issue
You are trying to SSH into a remote computer. But during SSH log-in the session hangs/freezes indefinitely. Thus you are not presented with the command prompt. And you are not able to use any SSH commands When using SSH debug mode the session hangs at this line debug2: channel 0: open confirm rwindow 0 rmax 32768
Possible cause
With some routers behind NAT and when using OpenSSH. During session setup, after the password has been given, OpenSSH sets the TOS (type of service) field in the IP datagram. The router choke on this. The effect is that your SSH session hangs indefinitely. In other words, SSH commands or connections are seldom working or not working at all.
Resolution with IPQoS 0x00
Until your router manufacturer fix their firmware. Here is one option to resolve that issue:
- Double check your openssh-server and openssh-client version are 5.7 or more recent. For example the resolution below should work with Debian 7.11 Wheezy or more recent as it comes with OpenSSH version 6.0.
- Edit one of the following two files located at:orNote: config file is per user and ssh_config file is for all users and system wide. If unsure edit the appropriate user config file.File content beforeFile content after
- If you have any Terminal/Console window(s) already open. Fully close all of them. Doing so will close any active SSH sessions.
- No need to restart OpenSSH or your Debian. Try again to SSH into any remote server. It should work. Done you have successfully fixed that issueThanks to Joe and catmaker for this tipRelated documentation at https://www.openssh.com/txt/release-5.7
Resolution with netcat
WARNING: It is suggested to consider using that other resolution with IPQoS 0x00 instead of using netcat/ProxyCommand nc %h %p option. Because IPQoS 0x00 is the official built-in OpenSSH option. Also IPQoS 0x00 is a more direct way to resolve that issue, and potentially more secure option. Because IPQoS 0x00 uses SSH's built in encryption for secure transfers. Compare to netcat's not encrypted transfers. Sources: 12. If you choose to use netcat/ProxyCommand nc %h %p option read on.
Another option to resolve that SSH hangs issue is to use ProxyCommand nc %h %p. To do so follow the same steps as that above resolution with IPQoS 0x00. But replace IPQoS 0x00 with
Keep SSH connection alive
For security reason, by default a SSH connection is automatically closed after a set period of time. But in some cases you want to keep that connection open. Such as cloud storage over SSH connection.
WARNING: Before activating that keep SSH connection alive option. It is suggested to consider securing both your SSH Client and SSH Server. Because for example, there is a risk that if your users leave their SSH session open, and their computer unattended and unlocked. Anyone can approach that computer, then exploit that open SSH connection. For example by using the passwd command, and change the password. And thus gain access to the server. In other words, before activating that keep SSH connection alive option, it is suggested to use your best judgment and good security practices.
For Debian 7.x server
Steps to keep SSH connection alive.
On the SSH server edit /etc/ssh/sshd_config file and add the following at the bottom of that file.
As root user restart the SSH service:
Please note that on recent Debian systems (e.g. Wheezy 7 with current updates as of Nov. 2015), the above command no longer works and returns the error:
However, the following works:
See also
- screen - terminal multiplexer with VT100/ANSI terminal emulation
- tmux - alternative terminal multiplexer
CategoryNetworkCategorySoftware
- https://tools.ietf.org/html/rfc4252 (1)
- https://www.openssh.com/users.html (2)
- https://www.openssh.com/txt/release-5.7 (3)
- https://www.openssh.com/txt/release-6.5 (4)
![Key Key](https://averagelinuxuser.com/assets/images/posts/2019-06-21-how-to-use-public-key-authentication/ssh-authentication-agent.jpg)
With a secure shell (SSH) key pair, you can create virtual machines (VMs) in Azure that use SSH keys for authentication, eliminating the need for passwords to sign in. This article shows you how to quickly generate and use an SSH public-private key file pair for Linux VMs. You can complete these steps with the Azure Cloud Shell, a macOS or Linux host, the Windows Subsystem for Linux, and other tools that support OpenSSH.
Note
VMs created using SSH keys are by default configured with passwords disabled, which greatly increases the difficulty of brute-force guessing attacks.
For more background and examples, see Detailed steps to create SSH key pairs.
For additional ways to generate and use SSH keys on a Windows computer, see How to use SSH keys with Windows on Azure.
Supported SSH key formats
Azure currently supports SSH protocol 2 (SSH-2) RSA public-private key pairs with a minimum length of 2048 bits. Other key formats such as ED25519 and ECDSA are not supported.
Create an SSH key pair
Use the
ssh-keygen
command to generate SSH public and private key files. By default, these files are created in the ~/.ssh directory. You can specify a different location, and an optional password (passphrase) to access the private key file. If an SSH key pair with the same name exists in the given location, those files are overwritten.The following command creates an SSH key pair using RSA encryption and a bit length of 4096:
If you use the Azure CLI to create your VM with the az vm create command, you can optionally generate SSH public and private key files using the
--generate-ssh-keys
option. The key files are stored in the ~/.ssh directory unless specified otherwise with the --ssh-dest-key-path
option. The --generate-ssh-keys
option will not overwrite existing key files, instead returning an error. In the following command, replace VMname and RGname with your own values:Provide an SSH public key when deploying a VM
To create a Linux VM that uses SSH keys for authentication, specify your SSH public key when creating the VM using the Azure portal, Azure CLI, Azure Resource Manager templates, or other methods:
If you're not familiar with the format of an SSH public key, you can display your public key with the following
cat
command, replacing ~/.ssh/id_rsa.pub
with the path and filename of your own public key file if needed:A typical public key value looks like this example:
If you copy and paste the contents of the public key file to use in the Azure portal or a Resource Manager template, make sure you don't copy any trailing whitespace. To copy a public key in macOS, you can pipe the public key file to
pbcopy
. Similarly in Linux, you can pipe the public key file to programs such as xclip
.The public key that you place on your Linux VM in Azure is by default stored in ~/.ssh/id_rsa.pub, unless you specified a different location when you created the key pair. To use the Azure CLI 2.0 to create your VM with an existing public key, specify the value and optionally the location of this public key using the az vm create command with the
--ssh-key-values
option. In the following command, replace VMname, RGname, and keyFile with your own values:If you want to use multiple SSH keys with your VM, you can enter them in a space-separated list, like this
--ssh-key-values sshkey-desktop.pub sshkey-laptop.pub
.SSH into your VM
With the public key deployed on your Azure VM, and the private key on your local system, SSH into your VM using the IP address or DNS name of your VM. In the following command, replace azureuser and myvm.westus.cloudapp.azure.com with the administrator user name and the fully qualified domain name (or IP address):
If you specified a passphrase when you created your key pair, enter that passphrase when prompted during the login process. The VM is added to your ~/.ssh/known_hosts file, and you won't be asked to connect again until either the public key on your Azure VM changes or the server name is removed from ~/.ssh/known_hosts.
If the VM is using the just-in-time access policy, you need to request access before you can connect to the VM. For more information about the just-in-time policy, see Manage virtual machine access using the just in time policy.
Next steps
Debian Generate Ssh Private Key Location
- For more information on working with SSH key pairs, see Detailed steps to create and manage SSH key pairs.
- If you have difficulties with SSH connections to Azure VMs, see Troubleshoot SSH connections to an Azure Linux VM.