![]() ![]() These security considerations aside, a private key has many practical advantages. But that's usually minor, especially if you're just storing the key in ~/.ssh where only system administrators (who also know what IP address you logged in from) can see it. Merely possessing the public key makes you a suspect that you also have the private key, so you lose some anonimity. If your passphrase is good enough and you notice the theft immediately, you'll still have time to revoke the key.Ī public key introduces an element of privacy exposure: if someone knows that you've used the same public key to log into A and to log into B, they know the same person logged into A and B. If the attacker obtains a copy of your private key files (for example by stealing your laptop or your backup media), she can try to brute-force the passphrase, and she can do it at high speed since you have no way to limit the rate (unlike password guesses that need to be made online). ![]() Private keys aren't always more secure than passwords. Someone who watches over your shoulder might be able to see your password and your key passphrase, but with a key they'd also need to get the key. If the attacker doesn't have a copy of your private key file, the RSA key effectively cannot be brute-forced (a 1024-bit key is equivalent to something like a 160-character password made of random case-sensitive letters and digits). If your password isn't strong enough, it can be brute-forced by an attacker with sufficient bandwidth. Logging in with a public key instead of a password in fact tends to increase security. If it was possible, RSA would be fundamentally broken, and this would be major news (breaking RSA would not only break a lot of Internet communication security, but also allow all kinds of banking fraud, amongst others). The easiest way to achive that is to copy the file to Server 2 and append it to the authorized_keys file: scp -p your_pub_key.pub cat id_dsa.pub > ~/.ssh/authorized_keysĪuthorisation via public key must be allowed for the ssh daemon, see man ssh_config.Yes, it is impossible to recover the private key from the public key. Recommended permissions are read/write for the user, and not This file is not highly sensitive, but the The format of this file is described in the Lists the public keys (RSA/DSA) that can be used for logging inĪs this user. Again a quote from man ssh: ~/.ssh/authorized_keys Now you need to introduce your public key on Server 2. Multiple -i options (and multiple identities specified in config. Identity files may also be specified on a per. Protocol version 1, and ~/.ssh/id_rsa and ~/.ssh/id_dsa for pro. Selects a file from which the identity (private key) for RSA orĭSA authentication is read. Another possibility is to tell ssh via the -i parameter switch to use a special identity file. This means you can store your private key in your home directory in. Sensitive and can (but need not) be readable by anyone. Used to encrypt the sensitive part of this file using 3DES.Ĭontains the public key for authentication. To specify a passphrase when generating the key which will be Private key file if it is accessible by others. Sensitive data and should be readable by the user but not acces. Please be careful with ssh because this affects the security of your server.Ĭontains the private key for authentication. Also the openSSH manual should be really helpful: You should read the section 'Authentication'. This is completly described in the manpage of openssh, so I will quote a lot of it. The private key must be kept on Server 1 and the public key must be stored on Server 2. You need your SSH public key and you will need your ssh private key. ![]()
0 Comments
Leave a Reply. |