Ssh Config Public Key



-->

With a secure shell (SSH) key pair, you can create a Linux virtual machine that uses SSH keys for authentication. This article shows you how to create and use an SSH RSA public-private key file pair for SSH client connections.

SSH, or secure shell, is the most common way of administering remote Linux servers. Although the daemon allows password-based authentication, exposing a password-protected account to the network. By default ssh-keygen will save the public and private keys under.ssh directory (which is located at the home directory of the user executing the ssh-keygen command). You can actually change this to wherever you want the keys to be saved (as clearly visible from above command, which prompted location for the user to specify).

If you want quick commands, see How to create an SSH public-private key pair for Linux VMs in Azure.

To create SSH keys and use them to connect to a from a Windows computer, see How to use SSH keys with Windows on Azure. You can also use the Azure portal to create and manage SSH keys for creating VMs in the portal.

Overview of SSH and keys

SSH is an encrypted connection protocol that provides secure sign-ins over unsecured connections. SSH is the default connection protocol for Linux VMs hosted in Azure. Although SSH provides an encrypted connection, using passwords with SSH connections still leaves the VM vulnerable to brute-force attacks. We recommend connecting to a VM over SSH using a public-private key pair, also known as SSH keys.

  • The public key is placed on your Linux VM.

  • The private key remains on your local system. Protect this private key. Do not share it.

When you use an SSH client to connect to your Linux VM (which has the public key), the remote VM tests the client to make sure it has the correct private key. If the client has the private key, it's granted access to the VM.

Depending on your organization's security policies, you can reuse a single public-private key pair to access multiple Azure VMs and services. You do not need a separate pair of keys for each VM or service you wish to access.

Your public key can be shared with anyone, but only you (or your local security infrastructure) should have access to your private key.

Supported SSH key formats

Azure currently supports SSH protocol 2 (SSH-2) RSA public-private key pairs with a minimum length of 2048 bits. Other key formats such as ED25519 and ECDSA are not supported.

SSH keys use and benefits

When you create an Azure VM by specifying the public key, Azure copies the public key (in the .pub format) to the ~/.ssh/authorized_keys folder on the VM. SSH keys in ~/.ssh/authorized_keys are used to challenge the client to match the corresponding private key on an SSH connection. In an Azure Linux VM that uses SSH keys for authentication, Azure configures the SSHD server to not allow password sign-in, only SSH keys. By creating an Azure Linux VM with SSH keys, you can help secure the VM deployment and save yourself the typical post-deployment configuration step of disabling passwords in the sshd_config file.

If you do not wish to use SSH keys, you can set up your Linux VM to use password authentication. If your VM is not exposed to the Internet, using passwords may be sufficient. However, you still need to manage your passwords for each Linux VM and maintain healthy password policies and practices, such as minimum password length and regular updates.

Generate keys with ssh-keygen

To create the keys, a preferred command is ssh-keygen, which is available with OpenSSH utilities in the Azure Cloud Shell, a macOS or Linux host, and Windows 10. ssh-keygen asks a series of questions and then writes a private key and a matching public key.

2015ap calculus. SSH keys are by default kept in the ~/.ssh directory. If you do not have a ~/.ssh directory, the ssh-keygen command creates it for you with the correct permissions.

Basic example

The following ssh-keygen command generates 4096-bit SSH RSA public and private key files by default in the ~/.ssh directory. If an SSH key pair exists in the current location, those files are overwritten.

Detailed example

The following example shows additional command options to create an SSH RSA key pair. If an SSH key pair exists in the current location, those files are overwritten.

Command explained

ssh-keygen = the program used to create the keys

-m PEM = format the key as PEM

201617 cody ceci game worn helmetottawa senators game used. -t rsa = type of key to create, in this case in the RSA format

-b 4096 = the number of bits in the key, in this case 4096

-C 'azureuser@myserver' = a comment appended to the end of the public key file to easily identify it. Normally an email address is used as the comment, but use whatever works best for your infrastructure.

-f ~/.ssh/mykeys/myprivatekey = the filename of the private key file, if you choose not to use the default name. A corresponding public key file appended with .pub is generated in the same directory. The directory must exist.

-N mypassphrase = an additional passphrase used to access the private key file.

Example of ssh-keygen

Saved key files

Enter file in which to save the key (/home/azureuser/.ssh/id_rsa): ~/.ssh/id_rsa

The key pair name for this article. Having a key pair named id_rsa is the default; some tools might expect the id_rsa private key file name, so having one is a good idea. The directory ~/.ssh/ is the default location for SSH key pairs and the SSH config file. If not specified with a full path, ssh-keygen creates the keys in the current working directory, not the default ~/.ssh.

List of the ~/.ssh directory

Key passphrase

Enter passphrase (empty for no passphrase):

It is strongly recommended to add a passphrase to your private key. Without a passphrase to protect the key file, anyone with the file can use it to sign in to any server that has the corresponding public key. Adding a passphrase offers more protection in case someone is able to gain access to your private key file, giving you time to change the keys.

Generate keys automatically during deployment

If you use the Azure CLI to create your VM, you can optionally generate SSH public and private key files by running the az vm create command with the --generate-ssh-keys option. The keys are stored in the ~/.ssh directory. Note that this command option does not overwrite keys if they already exist in that location.

Provide SSH public key when deploying a VM

To create a Linux VM that uses SSH keys for authentication, provide your SSH public key when creating the VM using the Azure portal, CLI, Resource Manager templates, or other methods. When using the portal, you enter the public key itself. If you use the Azure CLI to create your VM with an existing public key, specify the value or location of this public key by running the az vm create command with the --ssh-key-value option.

If you're not familiar with the format of an SSH public key, you can see your public key by running cat as follows, replacing ~/.ssh/id_rsa.pub with your own public key file location:

Output is similar to the following (here redacted):

If you copy and paste the contents of the public key file into the Azure portal or a Resource Manager template, make sure you don't copy any additional whitespace or introduce additional line breaks. For example, if you use macOS, you can pipe the public key file (by default, ~/.ssh/id_rsa.pub) to pbcopy to copy the contents (there are other Linux programs that do the same thing, such as xclip).

If you prefer to use a public key that is in a multiline format, you can generate an RFC4716 formatted key in a pem container from the public key you previously created.

To create a RFC4716 formatted key from an existing SSH public key:

Ssh config use public key authentication

SSH to your VM with an SSH client

With the public key deployed on your Azure VM, and the private key on your local system, SSH to your VM using the IP address or DNS name of your VM. Replace azureuser and myvm.westus.cloudapp.azure.com in the following command with the administrator user name and the fully qualified domain name (or IP address):

If you provided a passphrase when you created your key pair, enter the passphrase when prompted during the sign-in process. (The server is added to your ~/.ssh/known_hosts folder, and you won't be asked to connect again until the public key on your Azure VM changes or the server name is removed from ~/.ssh/known_hosts.)

If the VM is using the just-in-time access policy, you need to request access before you can connect to the VM. For more information about the just-in-time policy, see Manage virtual machine access using the just in time policy.

Use ssh-agent to store your private key passphrase

To avoid typing your private key file passphrase with every SSH sign-in, you can use ssh-agent to cache your private key file passphrase. If you are using a Mac, the macOS Keychain securely stores the private key passphrase when you invoke ssh-agent.

Verify and use ssh-agent and ssh-add to inform the SSH system about the key files so that you do not need to use the passphrase interactively.

Now add the private key to ssh-agent using the command ssh-add.

The private key passphrase is now stored in ssh-agent.

Use ssh-copy-id to copy the key to an existing VM

If you have already created a VM, you can add a new SSH public key to your Linux VM using ssh-copy-id.

Create and configure an SSH config file

You can create and configure an SSH config file (~/.ssh/config) to speed up log-ins and to optimize your SSH client behavior.

The following example shows a simple configuration that you can use to quickly sign in as a user to a specific VM using the default SSH private key.

Create the file.

Edit the file to add the new SSH configuration

Setup Ssh Public Key Authentication For Automatic Login

Add configuration settings appropriate for your host VM. In this example, the VM name is myvm and the account name is azureuser.

You can add configurations for additional hosts to enable each to use its own dedicated key pair. See SSH config file for more advanced configuration options.

Now that you have an SSH key pair and a configured SSH config file, you are able to sign in to your Linux VM quickly and securely. When you run the following command, SSH locates and loads any settings from the Host myvm block in the SSH config file.

The first time you sign in to a server using an SSH key, the command prompts you for the passphrase for that key file.

Next steps

Next up is to create Azure Linux VMs using the new SSH public key. Azure VMs that are created with an SSH public key as the sign-in are better secured than VMs created with the default sign-in method, passwords.

SSH

  • SSH
    • SSH Keys
  • Utilizing the SSH Agent
    • Basic Usage
    • SSH-Agent Forwarding
  • Advanced usage

SSH stands for Secure Shell. It is used to establish a secureconnection to an account on another computer to access files or runprograms without physical access to the machine.

At Western, we allow you to ssh into our Linux COW (Cluster OfWorkstations) and Lab Systems from anywhere inside or outside the University to accessthe files in your account's homedirectory.

Accessing Linux with SSH

By default, SSH will use port 22 forreasons. The CS department uses port922 for a little additional security. This means the ssh commandwill need the -p flag to specify port 922.

SSH Config

Ssh key example

If you find typing the whole ssh -p 922 ${username}@${hostname}.cs.wwu.eduline into your terminal exhausting, there is a perfect solution for you:SSH configuration!

SSH configuration will allow you to use any shorthand alias to connectto a remote server, for example ssh linux for ssh -p 922 ${username}@linux.cs.wwu.edu. Your ssh config file is found at~/.ssh/config.

Here is an example of an ssh config file for linux.cs.wwu.edu:

Note:

  • You can call the Host anything, it does not have to be linux. It isjust your alias for the ssh command.
  • Replace ${username} with your username or the account you havepermission to use.

Getting files with SCP

To copy files from a remote machine that you can access with ssh, youcan use Secure Copy, scp.

Key

For Example, if you want to download document.txt using linux.cs.wwu.edu, from your local machine, use the following command:

Assuming this file exists, this command will copy the filedocument.txt from your CS account homedirectory(denoted with ~) to your local machine's Documents directory.

Notice that scp uses a capital P for its port option flag.

This can also work in the opposite direction: copying files from yourlocal computer to a remote destination.

This command will copy the file document.txt from your local machineto the home directory of your CS account renamed to copied.txt.

SSH Keys

Using an SSH key will make your login more secure. This section willgive you the skinny on SSH keys and key usage. Get all your mac app store dmg filestreedallas. At the end of thissection will be a link to a more in depth description on SSH security.

SSH keys are generated in a public/private keypair. When you ssh intoanother machine, it sends your public key to that machine's~/.ssh/authorized_keys file. When you connect to that machine later,it checks your private key against the public key it has throughcryptographic algorithms to verify your identity.

Your private key should never be given out to ANYBODY!

Western uses EdDSA in the form of Ed25519for our key encryption method. To generate the key pair use this commandin the terminal:

This command will ask for a passphrase and then generate two files inthe ~/.ssh directory: id_ed25519 and id_ed25519.pub. The former isyour private key (Keep it secret! Keep it safe!), and the latteris your public key signified with the .pub extension.

Here is an example of what the interaction will look like:

Ssh Key Authentication

  • note: the password field appears blank because passwordcharacters are hidden in the terminal.
  • also note: if you leave the Enter the file in which to save the key line blank, it will default to the path in the parentheses.

Getting public key to WWU CS Systems from Off Site

After generating your key, you will need to send the public key to the /home/${username}/.ssh directory of the system you will access. On the CS Network, your directory will get mounted anywhere you would normally sign in for academic use (this may not apply to research or project systems). To get the public key from your personal system to the CS location, ssh-copy-id should be used.

So if strongbad were to connect to linux.cs.wwu.edu the command would appear as below:

Other Key Formats

While all of the Computer Science department's SSH servers accept newerkey formats like Ed25519this is not universally true. Some services outside the university mightnot. You may wish to consider another algorithm likeRSA orECDSA.You can generate those types of keys by changing which argument you giveto ssh-keygen's -t flag. For example, if you wanted to generate a4096-bit RSA key you would do

You are now all set to use these keys!

Let's say you want to see information on machine B but can only do sogoing through a specific port. Instructions can be found here.

While SSH keys allow for a more secure connection they still do notresolve the problem of having to enter a password for yourpublic/private key each time you want to ssh into a system. ssh-agentand ssh-add solve this problem by decrypting the key and storing it inmemory so that the user only needs to type in his/her password once.

Basic Usage

Step 1 Starting ssh-agent

The following command will start ssh-agent

Step 2 Add keys to ssh-agent

ssh-add will add the default key (id_rsa) and keep the passphrasestored in memory so that you do not have to keep typing it.

ssh-add will ask you for your password and store it for as long as youare logged in.

See loaded Keys

If you wish to see all of your loaded keys, use the command:

SSH-Agent Forwarding

If you would like to utilize SSH Keys rather than typing your password multiple times, a user can load their SSH Keys and pass their agent information across the SSH connection.

After generating SSH keys one needs to add it to their authorized_keys file. This is located at /home/${username}/.ssh/. If it is not there one needs to make the file. The cat line appends the public key to the end of the authorized_keys file, creating one as well if one does not exist.

After this is complete, one can use the ssh_key to connect. To do this, one would leverage the -A and -i flags. For an example, if your cs username is strongbad, your private key is named id_ed25519_strongbad and you are accessing labs.cs.wwu.edu, the command would look like the below code block.

Leveraging your SSH config

As was demonstrated in the SSH config examination, the SSH config can make things easier. This is achieved by adding the IdentityFile and ForwardAgent options shown below.

After doing this, all strongbad would need to do is:

If you had not entered a password for your SSH key yet (all SSH keys should have a password), it would prompt you to enter that password, and then automatically sign you in. After this, once the key is loaded, you would not need to enter that password again.

SSH is a very deep tool and can be used in a number of empowering ways.

X Forwarding

If you have an X server running on your local system (XOrg onBSD/Linux, XQuartz on macOS, or VcXsrc on Windows) you may want theoption to forward your X traffic from the lab machine to your localsystem. Adding the -Y flag to ssh will do this for you, andlabs.cs.wwu.edu will automatically pass it on to the lab system thatit puts you on. Alternatively you can update your ~/.ssh/config labsentry with the following lines:

Ssh Config Public Key Only

When it comes to X forwarding, compression can really help speedthings up. If you are not doing X forwarding it is not needed, and canoften slow things down.

Ssh Config Public Key File

Let's look at a sample X forwarding session to see if it works:

Ssh Config Enable Public Key Authentication

This created a window on my local desktop, but the application wasrunning on the remote lab machine!