public/private key generation

This short tutorial will show you how to generate some keys which you can use with openssl/ssh to gain access to machines.

Basically you will create a very strong (by today’s standards) mathematically bound pair of keys which when used in combination ensure trusted communication between two parties.

Which two parties? Your local machine, and a server that you already have access to. The pair of keys you will generate have one that is public (you can freely distribute this, and in fact you will at least place this on the server you want to access). The other is private and the real foundation of the secure communication. Your web traffic will only be as strong as this private key. That is to say, if the location or machine you store your private key on is not secure, then the places you access will not be secure.

For ease of use you may choose not to encrypt the use of your private key with a passphrase. This makes connecting using the key a simple matter, and very handy for automatic connections (no more remembering passwords!). The disadvantage here is that if your key is compromised (someone else gets it), they will be able to go anywhere you could have with it. Even with the addition of a simple passphrase, you can increase the security of the private key. The disadvantage is that you’ll have to enter a passphrase every time you use the key. Your call.

To generate the key:

$ ssh-keygen -t rsa -b 4096

This says you want an RSA key of 4096 bit length. (This is very robust, as of Spring 2015).
You will be asked for a name (it defaults to id_rsa and id_rsa.pub). You generate multiple keys and manage them as you wish. I’ve found it useful to use my last name, this makes putting the public key part on a shared server less confusing for team development, when others will be doing the same thing with their keys.

You will want to immediately change the permissions on your private key so that you will be the only one to be able to read it.

$ chmod 400 nameOfYourPrivateKey_id_rsa

Only someone logged in as you will be able to read (copy) this key now. On machines like OS X, anyone with an administrator account (or root) will also be able to access it. Basically, your key is only as secure as the physical well being of your laptop. If you suspect that your key is compromised let a team member know and the public key on the server can be removed so that particular key pair won’t work anymore.

Work with a team member to get the public key onto the server. It needs to go into a specific place depending on what resource you want to access.

homedirectory/.ssh/

This is how you use the key:

$ ssh -i pathToKey user@machine.domain.tld

If the key pair matches up you’ll be logged in and good to go.
To make this even more handy, you can write an alias:

alias comdevRoot=’ssh -i ~/.ssh/lasota_id_rsa root@communitydev.uaf.edu’

Put that in your .bash_profile and then everytime you enter ‘comdevRoot’, you’ll gain shell access to communitydev.

You can also copy files using scp (secure copy).

$ scp -i path_to_SourceFile path_to_Destination_File_or_Directory

The path should be a full path when you are specifying the location of a file on the foreign machine (server you are working with). Also, the foreign machine needs the user under which you will be placing or retrieving files from. Ex:

$ scp -i ~/.ssh/lasota_id_rsa myWebPage.html root@communitydev.uaf.edu:/var/www/public_html/

The above places a web file into the /var/www/public_html directory. It will be owned by root on the web server.

You can also use wildcards to copy over all the files:

$ scp -i ~/.ssh/lasota_id_rsa * root@communitydev.uaf.edu:/var/www/public_html/project/

This would copy over all of the visible files in the current directory and put them into the project directory on the server. Note that files are overwritten on the foreign server.

Good Luck Jim.