Generally we use username and password to connect to a remote SSH server. Connecting using password is a cumbersome and less secure approach. Here are some of the drawbacks of connecting using password.
1) If you use more than one account then you need to remember password for all the accounts.
2) Changing password is an annoying task and you need to communicate password change to everyone who is using shared account.
3) Passwords are not as secure way of authentication as using keys. Each time you use password, it is passed over the network for authentication.
Now, let's see what is a key?. When we use keys to authenticate over the network, we actually use public/private key cryptography for authentication.
How does a public/private key cryptography work?
In this method, we generate two keys, a public key and a private key. Public key is known to everyone, we can also transfer it over the network. Private key is known only to us, we do not transmit it over the network, nor do we tell it to anyone. Private key is present only on your local machine and that also in a way, that only the authorized account/user can access it.
Now, when both the keys are generated, we install public key on remote machine and keep private key with us.
Following steps are followed when we try to authenticate to the server using keys.
1) Local machine requests the server for connection.
2) Server sends some data known as challenge, encrypted by public key, to the local machine.
3) Local machine/account uses its private key to decrypt the data and sends it back to the server.
4) If the server finds that both the data(sent and received) match then it allows the connection, otherwise it refuses the connection.
Let's see, how we can actually set key based authentication
1) Generate keys
Run the following program on shell
ssh-keygen
This will generate both, public as well as private key. When this program is run, it asks for the file name in which you want to save the keys and a passphrase for private key. I will discuss passphrase after sometime. For the time being, if you want, you can enter it, or leave it and press enter. Supposing, you gave file name for the keys to be my_secret_key then two files will be generated.
my_secret_key will have the private key.
my_secret_key.pub will have the public key.
2) After the keys are generated, you will have to install public key on the remote server. For this, secure copy public key from your local machine to remote machine.
scp /home/XYZ/my_secret_key.pub remote_user@host.com:/home/remote_user/
Now the public key is copied to the home directory of remote_user.
3) After this, log in to the remote host using ssh with the account for which you want to install the public key, in this case it is remote_user. This is the last time you will be logging using your password.
Make .ssh directory inside your home directory, only if it is not present. Assuming that you are in home directory.
mkdir ./.ssh (if not present)
Note: This directory is hidden, so use ls -a to check for its presence.
If .ssh directory is present then check for the file authorized_keys. If present, then append the content of my_secret_key.pub into it as
cat my_secret_key.pub >> /home/remote_user/.ssh/authorized_keys
or else, make the file.
Anyways, append will make the file if not present, so you need not make it explicitly. You only have to take care that you might not delete someone else's public key present for the same account.
Your public key is installed on the remote machine.
Come back to your local machine. Remember you entered a passphrase(if entered) while generating keys. This passphrase will be used to encrypt your private key. The private key will be stored in an encrypted form, if passphrase is used, on the local machine. So, even in the case your encrypted private key becomes vulnerable, nobody will be able to decrypt it and use it to decrypt challenge(which the server sends), unless they know the passphrase. Now you get the importance of passphrase.
Everything set, you can try connecting to remote SSH server using keys.
ssh -i my_secret_key remote_user@host.com
It will ask for your passphrase(if set).
After you enter the passphrase, you are connected to the server.
The best part of connecting by this approach is that your password is not passed over the network, not even your passphrase.
If you don't want to enter your passphrase again and again, you can set up your passphrase in an agent. An agent is a program which remembers the passphrase for you, and whenever you try to use SSH client to connect to the host, it enters the passphrase on your behalf.
