SSH Keys and Passphrases for the Uninitiated
This articular covers some basics on WHY, HOW and WHEN to use Keys with Passphrases for SSH authentication and some “PRO TIPS” for Ubuntu/GNOME users.
Intro
If you use SSH (or are forced to use it as part of your job), you owe it to yourself to set up authentication via asymmetric cryptographic keys. If the machines you access are publicly accessible via the internet and you are not already using keys with strong passphrases to login; shout at your Sysadmin! If your are the Sysadmin.. Get Gud!
Why use keys?
At the very minimum setup key based authentication (without passphrase) to save yourself the trouble of having to type a password every time you connect to a server. I continue to see way way too many people resigning themselves to enter a password every time they use SSH. Clearly not enough people adventure to Google “how to automate SSH login”.. sigh.
If you manage an internet accessible SSH server, you should really disable password authentication and force Key based authentication. This is because of brute force botnets like the Hail Mary Cloud. If you leave password authentication ON, eventually a botnet could get lucky and break in.
A passphrase is like a password, only longer and it may contain spaces and special characters too. It is used to encrypt and decrypt a private key. This provides an additional level of security against the private key getting compromised. For example if your private key gets stolen, or that one time you accidentally git commit/push your private key (wasn’t me); your Key will still be uncompromised as long as the passphrase didn’t leak. By using “SSH Agents” (described later in this article), we can eliminate the need to type out passphrases manually, so that we can have both the convenience of a key without passphrases and the added security of having a passphrase.
Recommendation: if you are only using SSH to access low risk machines and services (git) inside a local network (e.g. not at the CIA), using keys without passphrases is fine. There is little risk of the a private key “leaking” and doing harm. For higher risk environments, always use strong passphrase. When in doubt, use a strong passphrase.
How to use Keys
Key based authentication is supported by default on OpenSSH-Server which means that pretty much every SSH server you encounter will probably support it. To set it up you just need to do two things from the client side.
- Create an user key
- Register your public key with the SSH server
On Linux machines, the easiest way to create a key is with the ssh-keygen command. Run it without arguments and it will walk you through the process. It will automatically pick reasonable defaults like the name and key algorithm(e.g. 2048-bit RSA at the time of writing).
Next step is to register your public key with the SSH server. On Linux machines, simple run the ssh-copy-id command and enter the SSH username’s password to authenticate.
That’s it. The next time you try to SSH to your server, your authentication will happen using the Key we just created. If you had set a passphrase, you will still need to enter it at this point. Let’s see how we can avoid that.. safely.
Automating Passphrase entering
As alluded previously; this is where a “SSH Agent”comes in. The SSH agent keeps your private key in secure memory so that you don’t have to always enter the passphrase to decrypt it.
OpenSSH includes the SSH agent called “ssh-agent” (IKR? very creative!) and there are many outdated tutorials describing how to setup Ubuntu to auto run ssh-agent on startup. There are shell scripts that you can plug in to .bashrc or .profile and there are also tutorials on how to leverage systemd (the init daemon). But from the tinkering that I’ve done, I’d recommended using the inbuilt GNOME Keyring instead. It’s easier to setup (i.e. you don’t need to do anything) and it also supports “Automatic Unlocking” when an user logs in to the system. Just go about your business and when your SSH key needs decrypting, the Keyring app will popup for you to enter the passphrase:
Once unlocked, you don’t have to enter the passphrase again till you log out. You can tick the “Automatically unlock.. when logged in” check box if you don’t want to ever enter the passphrase again.
For the paranoid among you, the functionality I described with GNOME Keyring might seem limiting; specially when you try out it’s lackluster frontend GNOME Seahorse ,
However you can still use the OpenSSH’s ssh-add command to interact with the Keyring’s SSH agent to get some of the “advanced” functionality of ssh-agent back.
Here are some tricks to working with GNOME Keyring:
- If don’t tick the “Automatically unlock.. when logged in” checkbox; you can use the ssh-add command just like with ssh-agent.
ssh-add : To decrypt and load keys
ssh-add -D : Unload all keys
ssh-add -l : To list the load keys
- If you had ticked the “Automatically unlock.. when logged in” checkbox and want to undo it; the easiest way I found is to change the passphrase of the key. This forces the Keyring’s passphrase entering dialog to pop up again so that you get another chance to set the checkbox. You can use the ssh-keygen -f id_rsa -p (from ~/.ssh folder) or the Seahorse front end to change the passphrase.
Additional Notes
- I am of the opinion that you should create new Keys for every new system. There is no real benefit in reusing client keys across multiple machines and generations of machines. Using new keys makes it easy to setup and makes sure that your are using the latest recommend encryption algorithm. Change my mind!
- If you are interested in the nuts and bolts of SSH, I’d highly recommend the book SSH Mastery, 2nd Edition by Micheal W Lucas .
