Index syndication
comment syndication

Always encrypt your ssh private key

May 8, 2008 at 13:44 · Filed under unix

Recently someone I know advised other IT people to generate their SSH keypair using the default options “using just enter to answer all the questions”. This means that the Private Key generated has no password against it (and is unencrypted).

In this case your private key is stored unprotected on your own computer, and anybody who gains access to that will be able to generate signatures (login to servers) as if they were you They will be able to log in to your server under your account.
I’ll reiterate that: This will allow ANYONE holding this file to access ANY server AS YOU where you have uploaded the public keys.

This means that in the case your laptop or computer is lost or stolen, your unix accounts are effectively compromised.

For this reason, your private key is recommended to be encrypted when it is stored on your local machine, using a pass phrase of your choice. To minimise this risk you should choose a strong pass phrase to be applied to the private key when generation occurs.

There are two ways to generate a key pair.

  1. If you are using openssh then generate the keypair under your unix login as follows:
    
    $ ssh-keygen -C "My development key 05 May 2008" -t rsa
    Generating public/private rsa key pair.
    Enter file in which to save the key (/home/lantrix/.ssh/id_rsa): 
    Enter passphrase (empty for no passphrase): **type in a strong password here**
    Enter same passphrase again: **retype in your strong password here**
    Your identification has been saved in /home/lantrix/.ssh/id_rsa.
    Your public key has been saved in /home/lantrix/.ssh/id_rsa.pub.
    The key fingerprint is:
    1a:aa:bb:44:09:38:ec:1d:1c:2d:27:c8:cc:dd:ee:ff My development key 05 May 2008
    $ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
    

    Then copy ~/.ssh/id_rsa the password protected and encrypted private key to a secure place on your client machine to use (placing it in your ~/.ssh/ folder – remember to set permissions to 600).

    If you want to use this openssh keypair with putty on a windows client, you will need to follow an extra step. Use PuttyGen menu to load your generated “id_rsa” file you transferred to your windows client.

  2. If you are only going to use putty to connect to UNIX servers it is better to generate the keypair in putty
    See the putty documentation for instructions on generating your key pair.
    Ensure you export the public keyfile to ~/.ssh/authorized_keys on each UNIX server you want to login (and chmod 600 on the file).

A Helpful tip

You can use putty to “cache” your key (to prevent constant retyping of your password when logging into servers) in a secure fashion using this component of putty.

Dont think of SSH keypairs as a means of easier logins. When used correctly it will in fact provide a more secure login; as your password is never passed over the network.

Alf said,

May 8, 2008 @ 14:31

mmm…

Tim said,

May 8, 2008 @ 16:12

Nice article. You forgot your <soapbox>code</soapbox> tags though …
😉

But seriously, if I’m given a read-only account to a unix (Solaris) box, how do I go about implementing ssh keypair security, if I don’t even have a home directory?

RSS feed for comments on this post · TrackBack URI

Leave a Comment