Public Key Cryptography#

Public key cryptography or asymmetric cryptography use keys which have a public and a private part. The private key part, or private key for short has to kept secret. The public key can and has to distributed to other parties. The real protocols are more complicated but it here it suffices to think that public keys are used to encrypt, and private keys are used to decrypt messages. So if Alice wants to send an encrypted message to Bob, she uses Bob’s public key to encrypt it. Afterwards Bob can read the message using his private key. To send an answer, he has to use Alice’s public Key.

Using asymmetric cryptography is has many advantages over passwords. First of all no secrets have to be transmitted over untrusted channels and also brute force attacks on encrypted traffic are much harder.

Generating SSH keys#

Depending on the underlying math and protocols there are different versions of keys. For SSH the most common choices are RSA and ed25519 keys. RSA keys use the famous RSA algorithm based on factoring primes. Nowadays the key length (length of the modulus) should be at least 4096 bits. ed25519 keys are based on calculating discrete logarithms.

Use ssh-keygen -t rsa -b4096 to generate a 4096 bit RSA key or ssh-keygen -t ed25519 to create an ed25519 key. The key pair will be saved in the directory in a directory called .ssh. I consists of two files:

  • ~/.ssh/id_rsa is the private key. It has to be kept secret and is ideally protected with a strong password.

  • ~/.ssh/id_rsa.pub is public key. This file may be distributed to other parties.

In case of ed25519 the files will be named id_ed25519 and id_ed25519.pub. The name of these files can be chosen on creation or they can be renamed later. Each key pair has also a fingerprint and a random art image to make it easier to identify and recognize the keys.

$ ssh-keygen -t rsa -b4096
Generating public/private rsa key pair.
Enter file in which to save the key (/home/john/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): ************
Enter same passphrase again: ************
Your identification has been saved in id_rsa
Your public key has been saved in id_rsa.pub
The key fingerprint is:
SHA256:KsXhkRCJFq17V5hwgiQx+Wt/gbv4OgxmbovNim1fTEM john@johnsPC
The key's randomart image is:
+---[RSA 4096]----+
|++o=oo           |
|.o+ =...         |
| o . +Eo         |
|  o  +oo.        |
|   o .*.S        |
|.o+ o+oo         |
|++ o.o+.         |
|o*+.oo.          |
|=+B=+o           |
+----[SHA256]-----+

Authorized keys#

To use SSH keys to establish a connection the server must be aware of which keys are trustworthy. This is done by registering the public keys as authorized.

On the remote machine as the remote user create or modify the file ~/.ssh/authorized_key and add the public key as line in this file. The SSH server process reads this file and accepts all logins using these authorized keys. For obvious reasons the strict permissions to the authorized_key file are necessary, otherwise the SSH daemon will refuse to accept the keys.

# create the .ssh directory if necessary
mkdir -p ~/.ssh

# Add the line "ssh-ed5519 ... john@laptop" to ~/.ssh/authorized_keys it will 
# create the file if it does not exist. Make sure to replace 
# "ssh-ed5519 ... john@laptop" with the content of `~/.ssh/id_ed25519.pub` on the source machine

echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG5Csv7paLFNcTTIry5jMX/4JK20mD3sUEUNm2I6pt1w john@laptop" >> ~/.ssh/authorized_keys

# This sets the permissions on the .ssh directory and the authorized_keys properly
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

Graphical programs#

john@laptop:~$ ssh -X johndoe@login.phys.ethz.ch
johndoe@phd-login1:~$ mathematica &