Rhel Generate Ssh Key Pair

Posted on 24-05-2021 by admin

Aug 19, 2019 In this article, you learned how to generate SSH key pairs and set up an SSH key-based authentication. We also covered copying keys to your remote CentOS server, and disabling SSH password authentication. Jul 17, 2017 To ssh using pem file there are few steps you have to follow 1.Generating Key Pairs. To generate an RSA key pair for version 2 of the SSH protocol, follow these steps: Generate an RSA key pair by typing the following at a shell prompt: $ ssh-keygen or $ ssh-keygen -t rsa -b 2048 -v.

Secure your systems with multiple SSH keys without losing your mind.

Some sites I interact with use SSH keys for access instead of passwords. As with passwords, I try to make a conscious decision about passphrases, and when to reuse or make new keys.

To manage these keys, I use a combination of command-line options, configuration settings, and passphrase caching agents.

Why use different key pairs?

More Linux resources

I currently have about a half dozen places where I use SSH keys on a regular basis and several other less frequently accessed locations. In particular, I use different key pairs for:

Each of my consulting clients.
Lab or testing environments.
Training classrooms and similar environments that use shared keys.
Networks I manage where the public key is loaded into an identity management system that propagates it out to the systems I access interactively.
Each upstream community that allows SSH access, usually to gain write access for source control commits. (Again, the public key is often uploaded to a central site and propagated in an automated manner.)

Of course, I need to keep all of these keys secure. I passphrase protect all (ok, most of) the keys, and am careful about access to the private key files. In addition to the keys used from my workstation, I also have separate keys for any shared applications, plus the keys that need to be uploaded to an automation system such as Ansible Tower.

How does my system decide which key to use?

When I generate an SSH key pair, I get prompted for the name of the public key (identity) file with a default of ~/.ssh/id_rsa. I pick a name that hopefully makes as much sense to future me as it does currently. When I use a client command such as ssh or scp, the utility selects a file based on command-line options, a per-host basis in the configuration file, or program defaults:

The ssh man page not only describes the -i option, but also has a section titled AUTHENTICATION which further explains the steps used to determine which key or other method is used.

Command-line options

There are a few options I use on the command line during setup, or for verification and then later in the configuration file for future use. The -i option specifies the key to use and works the same with all of the SSH client utilities, including the ssh, ssh-copy-id, and scp commands:

This option can be given muliple times to limit which keys to try, if you know it is one of a handful of keys, but I usually only need to specify the exact key.

I also use a handful of other options specified with -o. These options are described in the ssh_config man page. The IdentityFile SSH option can be used instead of -i. The following command has the same result as the one above:

Other options I use include:

PreferredAuthentications specifies the order of methods to try. The default generally has five to six options listed with Kerberos first, keys in the middle, and password last. If I know I need to be prompted for a password, such as when copying a new public key to a host, I use -o PreferredAuthentications=password.
PasswordAuthentication defaults to yes so that if other methods fail, the user will see a password prompt. I sometimes disable this setting to ensure that I am authenticating with a method other than SSH password authentication. If I see a prompt, I know it is a passphrase or Kerberos prompt. I only need to specify PasswordAuthentication=yes if I am trying to override a locally customized configuration file.
PubkeyAuthentication defaults to yes so that key authentication is attempted. I may set this option to no if I know I need to be prompted for a password, such as to add or replace a key using ssh-copy-id.
IdentitiesOnly defaults to no, but when set to yes, tells SSH to use only the identity specified on the command line or in the configuration file. The client will not try other identities, even if offered by ssh-agent or a PK11 provider.

Common authentication error

There is a limit on attempts before the SSH server will fail the authentication. When I try to place a key on a new system, I often get a Received disconnect from x.x.x.x port 22:2: Too many authentication failures error message, which means that the client attempted to authenticate with each method and each key and was ultimately disconnected from the server before getting to the final method of prompting for a password.

In the sshd_config file, you can configure MaxAuthTries. It defaults to six. If I have just key and password authentication methods in use, and I have more than five keys, each key is checked in turn until I'm disconnected from the server before I get a chance to enter a password. I don’t always have access to the server-side configuration. Even if I did, I would not change this setting just for the few users that have such a large collection of keys.

When I know I need password authentication, I make use of PubkeyAuthentication=no or PrefferedAuthentication=password to make sure I get prompted for the password. If I have a particular key to use, I can specify the key and set IdentiesOnly=yes so that only that key is tried:

Configuration file Host entries

To avoid repetitive and lengthy command-line options, I maintain a local configuration file that sets the identity and other options for each destination. As a user, I configure a ~/.ssh/config file. I start by copying the sample from the /etc/ssh directory and then I make use of the ssh_config man page for additional possibilities:

For example, I might create a Host section for each destination. Each Host entry supports multiple destinations, as well as wildcards for pattern matching. The ssh_config man page shows many examples, but here’s a particularly useful one for Fedora users:

If you have a different username on different systems, you can add the User option to specify which one. When I connect to one of the hosts listed above, I can just use ssh host instead of ssh user@host, and the correct username will be passed from the configuration file, thanks to:

You can also add one or more IdentityFile lines for keys used at these sites:

Then, add any other options for managing the connection. This includes options to enable or disable authentication methods as well as destination ports, environment settings, and proxy commands. You might ultimately end up with:

This section of your ~./ssh/config file might end up looking something like this:

A final word on lost keys and key rotation

With multiple keys, I need to determine if all keys were compromised, or if only a single key needs to be rotated. A theft of my laptop would be all keys. If I copy a single key to a new client system and forget to remove it, then I only worry about that one key. Which is exactly why I use different keys for lab testing or any situation where I may need to share a key. My client configuration files then make it easy for me to use a variety of keys on a daily basis.

Free Event: Red Hat Summit 2020 Virtual Experience

Attend the Red Hat Summit 2020 virtual experience, April 28-29.

Overview of SSH and keys

SSH is an encrypted connection protocol that allows secure sign-ins over unsecured connections. SSH is the default connection protocol for Linux VMs hosted in Azure. Although SSH itself provides an encrypted connection, using passwords with SSH connections still leaves the VM vulnerable to brute-force attacks or guessing of passwords. A more secure and preferred method of connecting to a VM using SSH is by using a public-private key pair, also known as SSH keys.

The public key is placed on your Linux VM, or any other service that you wish to use with public-key cryptography.
The private key remains on your local system. Protect this private key. Do not share it.

When you use an SSH client to connect to your Linux VM (which has the public key), the remote VM tests the client to make sure it possesses the private key. If the client has the private key, it's granted access to the VM.

Depending on your organization's security policies, you can reuse a single public-private key pair to access multiple Azure VMs and services. You do not need a separate pair of keys for each VM or service you wish to access.

Your public key can be shared with anyone, but only you (or your local security infrastructure) should possess your private key.

Private key passphrase

The SSH private key should have a very secure passphrase to safeguard it. This passphrase is just to access the private SSH key file and is not the user account password. When you add a passphrase to your SSH key, it encrypts the private key using 128-bit AES, so that the private key is useless without the passphrase to decrypt it. If an attacker stole your private key and that key did not have a passphrase, they would be able to use that private key to sign in to any servers that have the corresponding public key. If a private key is protected by a passphrase, it cannot be used by that attacker, providing an additional layer of security for your infrastructure on Azure.

Supported SSH key formats

Azure currently supports SSH protocol 2 (SSH-2) RSA public-private key pairs with a minimum length of 2048 bits. Other key formats such as ED25519 and ECDSA are not supported.

SSH keys use and benefits

When you create an Azure VM by specifying the public key, Azure copies the public key (in the .pub format) to the ~/.ssh/authorized_keys folder on the VM. SSH keys in ~/.ssh/authorized_keys are used to challenge the client to match the corresponding private key on an SSH connection. In an Azure Linux VM that uses SSH keys for authentication, Azure configures the SSHD server to not allow password sign-in, only SSH keys. Therefore, by creating an Azure Linux VM with SSH keys, you can help secure the VM deployment and save yourself the typical post-deployment configuration step of disabling passwords in the sshd_config file.

If you do not wish to use SSH keys, you can set up your Linux VM to use password authentication. If your VM is not exposed to the Internet, using passwords may be sufficient. However, you still need to manage your passwords for each Linux VM and maintain healthy password policies and practices, such as minimum password length and regular updates. Using SSH keys reduces the complexity of managing individual credentials across multiple VMs.

Generate keys with ssh-keygen

To create the keys, a preferred command is ssh-keygen, which is available with OpenSSH utilities in the Azure Cloud Shell, a macOS or Linux host, the Windows Subsystem for Linux, and other tools. ssh-keygen asks a series of questions and then writes a private key and a matching public key.

SSH keys are by default kept in the ~/.ssh directory. If you do not have a ~/.ssh directory, the ssh-keygen command creates it for you with the correct permissions.

Basic example

The following ssh-keygen command generates 2048-bit SSH RSA public and private key files by default in the ~/.ssh directory. If an SSH key pair exists in the current location, those files are overwritten.

Detailed example

The following example shows additional command options to create an SSH RSA key pair. If an SSH key pair exists in the current location, those files are overwritten.

Command explained

ssh-keygen = the program used to create the keys

-m PEM = format the key as PEM

-t rsa = type of key to create, in this case in the RSA format

-b 4096 = the number of bits in the key, in this case 4096

-C 'azureuser@myserver' = a comment appended to the end of the public key file to easily identify it. Normally an email address is used as the comment, but use whatever works best for your infrastructure.

-f ~/.ssh/mykeys/myprivatekey = the filename of the private key file, if you choose not to use the default name. A corresponding public key file appended with .pub is generated in the same directory. The directory must exist.

-N mypassphrase = an additional passphrase used to access the private key file.

Example of ssh-keygen

Saved key files

Enter file in which to save the key (/home/azureuser/.ssh/id_rsa): ~/.ssh/id_rsa

The key pair name for this article. Having a key pair named id_rsa is the default; some tools might expect the id_rsa private key file name, so having one is a good idea. The directory ~/.ssh/ is the default location for SSH key pairs and the SSH config file. If not specified with a full path, ssh-keygen creates the keys in the current working directory, not the default ~/.ssh.

List of the `~/.ssh` directory

Key passphrase

Enter passphrase (empty for no passphrase):

It is strongly recommended to add a passphrase to your private key. Without a passphrase to protect the key file, anyone with the file can use it to sign in to any server that has the corresponding public key. Adding a passphrase offers more protection in case someone is able to gain access to your private key file, giving you time to change the keys.

Generate keys automatically during deployment

Generate Ssh Key Putty

If you use the Azure CLI to create your VM, you can optionally generate SSH public and private key files by running the az vm create command with the --generate-ssh-keys option. The keys are stored in the ~/.ssh directory. Note that this command option does not overwrite keys if they already exist in that location.

Provide SSH public key when deploying a VM

To create a Linux VM that uses SSH keys for authentication, provide your SSH public key when creating the VM using the Azure portal, CLI, Resource Manager templates, or other methods. When using the portal, you enter the public key itself. If you use the Azure CLI to create your VM with an existing public key, specify the value or location of this public key by running the az vm create command with the --ssh-key-value option.

If you're not familiar with the format of an SSH public key, you can see your public key by running cat as follows, replacing ~/.ssh/id_rsa.pub with your own public key file location:

Output is similar to the following (here redacted):

If you copy and paste the contents of the public key file into the Azure portal or a Resource Manager template, make sure you don't copy any additional whitespace or introduce additional line breaks. For example, if you use macOS, you can pipe the public key file (by default, ~/.ssh/id_rsa.pub) to pbcopy to copy the contents (there are other Linux programs that do the same thing, such as xclip).

If you prefer to use a public key that is in a multiline format, you can generate an RFC4716 formatted key in a pem container from the public key you previously created.

To create a RFC4716 formatted key from an existing SSH public key:

SSH to your VM with an SSH client

With the public key deployed on your Azure VM, and the private key on your local system, SSH to your VM using the IP address or DNS name of your VM. Replace azureuser and myvm.westus.cloudapp.azure.com in the following command with the administrator user name and the fully qualified domain name (or IP address):

If you provided a passphrase when you created your key pair, enter the passphrase when prompted during the sign-in process. (The server is added to your ~/.ssh/known_hosts folder, and you won't be asked to connect again until the public key on your Azure VM changes or the server name is removed from ~/.ssh/known_hosts.)

If the VM is using the just-in-time access policy, you need to request access before you can connect to the VM. For more information about the just-in-time policy, see Manage virtual machine access using the just in time policy.

Use ssh-agent to store your private key passphrase

To avoid typing your private key file passphrase with every SSH sign-in, you can use ssh-agent to cache your private key file passphrase. If you are using a Mac, the macOS Keychain securely stores the private key passphrase when you invoke ssh-agent.

Verify and use ssh-agent and ssh-add to inform the SSH system about the key files so that you do not need to use the passphrase interactively.

Now add the private key to ssh-agent using the command ssh-add.

The private key passphrase is now stored in ssh-agent.

Use ssh-copy-id to copy the key to an existing VM

If you have already created a VM, you can install the new SSH public key to your Linux VM with a command similar to the following:

Create and configure an SSH config file

You can create and configure an SSH config file (~/.ssh/config) to speed up log-ins and to optimize your SSH client behavior.

The following example shows a simple configuration that you can use to quickly sign in as a user to a specific VM using the default SSH private key.

Create the file

Edit the file to add the new SSH configuration

Example configuration

Add configuration settings appropriate for your host VM.

You can add configurations for additional hosts to enable each to use its own dedicated key pair. See SSH config file for more advanced configuration options.

Now that you have an SSH key pair and a configured SSH config file, you are able to sign in to your Linux VM quickly and securely. When you run the following command, SSH locates and loads any settings from the Host myvm block in the SSH config file.

The first time you sign in to a server using an SSH key, the command prompts you for the passphrase for that key file.