Managing SSH Keys

Introduction

SSH keys are the most secure and convenient authentication method for connecting to any SSH server.

They allow you to connect to a server without typing in any password, while being a lot more secure than password authentication.

When setting up a server, depending on the hosting provider, there are 3 main ways of SSH authentication being offered:

• user-defined SSH password (very insecure, most people don’t use secure unique passwords, this is how most hacked servers are compromised),
• randomly generated SSH password (more secure, depending on the password length and character set)
• SSH key (if used without a password, this is the most secure method)

Kyun only allows SSH key authentication by default, therefore, you need to provide a public SSH key in order to enable SSH access to your Danbo.

Key Algorithms

There are multiple algorithms you can choose from when generating a key.

• ed25519 - the recommended default for modern systems. Keys are small, fast and well supported in current OpenSSH releases.
• rsa - mainly useful for compatibility with older systems. If you need RSA, use at least 3072 bits.
• ecdsa - supported by OpenSSH, but there is usually no practical reason to choose it over ed25519 unless compatibility or policy requires it.
• dsa - obsolete and should not be used.

For most users, ed25519 is the right choice.

Finding Your Default Key

When connecting to a server that supports key authentication, by default, SSH clients look in your ~/.ssh folder for any existing private keys.

To find your default public key in Linux/BSD/macOS, open a terminal and run:

$ cat ~/.ssh/*.pub

If you’re using Windows, open the Command Prompt and run:

$ type %USERPROFILE%\.ssh\*.pub

If you have any default public key, it should display it in the console. If you get an error, read the next section for instructions on generating one.

Generating an SSH Key

To generate a new key, you can use the ssh-keygen command. This command is also available in Windows by default since the April 2018 update.

Current OpenSSH versions generate an ed25519 key by default, but explicitly passing the key type keeps the result predictable across systems. For example:

$ ssh-keygen -t ed25519

Once you run ssh-keygen, the program will prompt you for further options:

Enter file in which to save the key (/home/username/.ssh/id_ed25519):

The value between parentheses is the default value. You can leave the prompt empty to proceed with the default, or you can specify a custom path.

The private key will be generated at the path you specify. The public key will be generated at the same path as the private one, suffixed with .pub.

Note: If you specify a custom SSH key path, you will have to specify the path to that key when connecting to the server, otherwise it will either use the default key (if there is one) or none at all.

Enter passphrase (empty for no passphrase):

If you secure your key with a passphrase, even if your private key gets compromised, an attacker will not be able to use it without your passphrase.

If you choose to use a passphrase, you will either have to use ssh-agent, which keeps the unlocked key in memory, or enter the passphrase every time you use your key to SSH into a server.

Note: ssh-agent may leak the fingerprint of all default keys whenever you connect to a server, even if you specify a different key file. Use with caution.

Using Multiple SSH Keys

Your default SSH key is essentially a unique identifier for the machine it belongs to. For privacy reasons, you may want to use separate SSH keys, one for each server.

There are 2 ways to specify which SSH key you want to use when connecting to a server:

Per-server (global)

Let’s say you have a server at 12.34.56.78, your username on that server is root and the private key associated with the public key that’s authorized to access the server is at ~/.ssh/mybasedkey.

In your ~/.ssh/config file:

Host mybasedserver
    HostName 12.34.56.78
    IdentityFile ~/.ssh/mybasedkey
    IdentitiesOnly yes
    User root
    Port 22

This will make it so you can simply run ssh mybasedserver, and ssh will use the details from the config file.

Per-connection

ssh -i ~/.ssh/mybasedkey -o IdentitiesOnly=yes root@12.34.56.78

Note: The IdentitiesOnly option ensures ssh-agent only uses the key file you provide. If that option is omitted, the default keys from your .ssh directory may also be sent to the server.