Can someone confirm if it's safe to add a private key (.pem) to ~/.ssh/authorized_keys on a computer that will be connecting to a remote server (where the public key will be). I plan on using cat private-key.pem >> ~/.ssh/authorized_keys to add it. I've already changed the permissions on authorized_keys using chmod 600 ~/.ssh/authorized_keys
I've been looking the last hour and all I can see are references to the public key on the remote server. Struggling to find much relevant info on whether the above is safe or not.
I want to do the above so I can add IdentityFile ~/.ssh/authorized_keys to ~/.ssh/config to allow me connect quickly.
Sorry if this is obvious but it's been a while since I've used SSH. Thanks for looking
No. It is not. To the authorized keys, you should put public key!
You can generate public key from private key using ssh-keygen:
ssh-keygen -y -f private-key.pem > public-key.pub
Related
I'm using Yubikey 5 NFC and want to move my openssh key into it so that I can authenticate for ssh login via this Yubikey.
Maybe you will suggest to generate a new gpg keypair for Yubikey and use the gpg-agent instead of ssh-agent to authenticate. But I still want to move my current ssh private key into Yubikey because this way I don't have to edit authorized_keys everywhere.
I tried to do this following this article:
https://www.mvps.net/docs/how-to-add-your-existing-ssh-key-to-yubikey-via-openpgp/
which suggest to use pem2openpgp from monkeysphere to translate my ssh key into gpg key and somehow write this translated gpg key into Yubikey (via keytocard command of gpg).
But after all these done. I find that the fingerprint of my ssh key is changed, this is confirmed by following command:
$ ssh-keygen -lf ~/.ssh/id_rsa.pub
$ ssh-add -l
And the fact that the fingerprint changed makes using my current ssh key meaningless -- I still need to edit authorized_keys everywhere to make the "new public key" work.
So is there any other way which can write my old ssh key into Yubikey and keep the old key's fingerprint?
I know ssh-keygen it can create a public and private key inside ~/.ssh by default as id_rsa and id_rsa.pub
eg:
ssh-keygen
Later on we add the id_rsa.pub to the known_hosts of the server, so that we can do
ssh user#hostname.com
But I see we use ssh-add to pass private key so that we can login without the need of password
Eg:
ssh-add <(echo "$SSH_PRIVATE_KEY")
for this we need to start ssh-agent
eval $(ssh-agent -s)
and then
ssh user#hostname.com
Assuming there is already ~/.ssh/id_rsa. So here how does ssh know which private key it has to use
ssh, if it finds a value for SSH_AUTH_SOCK in the environment, will ask that agent for all private keys and try them one by one, unless you tell it which specific key to use via the -i command-line option or the IdentitiyFile configuration option.
The main benefit of ssh-agent is that it can hold unencrypted keys in memory, so that you only need to use the key's passphrase once, when it is added to the agent, rather than every time ssh tries to use the key.
(The other benefit is that if you have multiple ssh connections in a chain, you can keep the private keys in an agent on the first machine. The ssh client can forward the agent connection to the remote machine, where ssh clients can access the agent to use keys for the next step in the chain.)
I am new to programming and am trying to ssh to my server as that may be needed later to edit code.
My ~/.ssh/id_rsa.pub is
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQD3UP7ryN33fuzwg5wfXSsTDtcRc+jTsrU2+IYI0yrGqPZ7F4+LesO+1/delLvQuhr8O+YJPgAZK6mRoY+ruWPEf/hGsJkrR76kNeOSFkXP/QgSN7aWPhgRFs0EaUk+fgHcri1mOOgxcNto7Mwo8U+YuuMf3CMxMqBcWKccPvPSNMmL91cs56pTM6VXP+rNYBGEFiEqjZdYrUncICmgOO2fIgpcLOIBYsgBcWdl+vycc0oMhLtRPy6ALgzujI3FSMhRxwi8Oy0UjCHNJowcb+XFZrDk8qRUucp1/IYGXBgjS7jJVTejseIKZvnf1qEyRYY8p7pltfqrGKdPNRT5zSun mrinmaykalita#MacBook-Pro-77.local
and
my ~/.ssh/known_hosts has an entry as
173...** ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMIkfmRuMEdyptRu11rW+3qlokDq3B5HDruYGow1fJTTQrPhL7YLAabAek97jChU09VcdBzr2x8+v3HsUfT6Blc=
What should I use for ***** in
ssh-copy-id -i ***** root#173...** to send public key to that server so I can ssh after that? And what is the significance of the other?
I am a newbie, so a dumb question.
Please help.
Thanks and Regards
What should I use for ***** in ssh-copy-id -i ***** root#173...46 to send public key to that server so I can ssh after that?
Use a path to the public key file:
ssh-copy-id -i $HOME/.ssh/id_rsa.pub root#173...46 to send public key to that server so I can ssh after that?
Be careful with the access modes of files and directories (as said in a comment): as a general rule, do not set group or world access or modification rights to the corresponding inodes.
What I want to do is to copy key to another host.
ssh-copy-id -i ~/.ssh/id_rsa user#host
I get error:
/usr/bin/ssh-copy-id: ERROR: failed to open ID file '[homedir].ssh/id_rsa.pub':
So there is no public key. So where is it? I tried to use command
sudo find / -name id_rsa.pub
but it only found one which I generated experimentally in my test directory. I tried sending the experimental from the test directory, but then it keeps infinitely asking paraphrase and does not send when I keep pasting.
So there is something wrong.
I could regenerate using
ssh-keygen -t rsa
but then it tries to use ~./.ssh directory
and wants to overwrite private id_rsa key. I am afraid this might brake something.
So how do I get my public key file?
Just in case someone else comes here looking for an answer to the OP's question... and to directly answer that question (namely, how can you re-generate the .pub key in a situation where it is missing, and you only have the private key)...
Here is the answer:
Regenerating a .pub key from the private key
ssh-keygen -y -f ~/.ssh/id_rsa > ~/.ssh/id_rsa.pub
The -y option is the command instructing ssh-keygen to output your public key.
This will re-generate the .pub part of the pair. Just as the OP pointed out, if you simply generate a new pair, and replace the old private key, you will lose access to whatever servers you have already provided your public key to. Sure, you can go through the process of providing a new public key to those servers, but why go through that hassle if it can be easily avoided?
RSA keys work on pairs. You can generate ssh private and public keys any number of times..it does not break anything. It simply replaces the old one with a newly generated keys. This only requires you to copy the newly generated public key id_rsa.pub to your remote machine's ~/.ssh/authorized_keys file in order for you to access secure shell using rsa keys.
So generate new rsa keys on your home's .ssh directory (your old keys are replaced by new ones) and copy to the remote host's .ssh directory
cd /home/<your_username>/.ssh
ssh-keygen -t rsa
scp ~/.ssh/id_rsa.pub remote_username#host:~/.ssh/authorized_keys
then
ssh remote_username#host
Keep passphrase empty while generating your new keys unless you want to enter passphrase every time you try to make a ssh connection.
NOTE: you need to append your public key to authorized_keys file in remote host's ~/.ssh directory if it already exists holding other client's public keys.
I remember there is a command to send public key to the remote host that I want. I want to use that feature to send one of my public keys to the other host. How can I do that?
You are looking for ssh-copy-id. All this command does is create .ssh and .ssh/authorized_keys and set their permissions appropriately if they don't exist. Then it appends your public key to the end of .ssh/authorized_keys.
You might be looking for this command:
cat ~/.ssh/id_rsa.pub | ssh user#hostname 'cat >> .ssh/authorized_keys'
It appends your public key to the servers authorized keys.
Source
If your server is already set up to not accept password-based login, you might get a Permission denied (publickey) error.
This is another method to send the key, using netcat, so you don't have to authenticate. It will only work over a local network, but you can use port forwarding to do this over the internet.
On the server:
$ nc -l 55555 >> ~/.ssh/authorized_keys
On the client (replace HOSTNAME with the hostname or IP of the server):
$ nc HOSTNAME 55555 < ~/.ssh/id_rsa.pub
You can replace 55555 with an open port of your choice.
source: chat over lan from linux to linux?
Appendix for total newbies: I don't think anyone's mentioned this yet, but if you get ERROR: failed to open ID file '/home/username/.pub': No such file, you need to generate a key first. The Ubuntu help pages have a great guide on Generating RSA Keys.
In other answers there's no example for ssh-copy-id so here it is(first you need to generate the key)
ssh-copy-id user#url