Linux Crash Course - Public Key Authentication
Vložit
- čas přidán 11. 07. 2024
- Public Key Authentication with OpenSSH is preferred, as it's a much stronger method of authenticating to your servers when compared to using password authentication. In fact, password authentication in OpenSSH should always be disabled. But before you can password authentication, you'll need to set up public key authentication, and that's exactly what we'll do in today's video.
Helpful OpenSSH content to take your knowledge even further:
🐧 Locking down OpenSSH (goes over disabling password authentication):
➡️ • 5 Easy Tweaks to incre...
🐧 Full OpenSSH Guide (goes over even more detail than this):
➡️ linux.video/ssh
LearnLinuxTV Sites
🐧 Main site:
➡️ www.learnlinux.tv
🐧 LearnLinuxTV Community:
➡️ community.learnlinux.tv
Support LearnLinuxTV (commission earned)
📖 Check out Jay's latest book, Mastering Ubuntu Server 4th Edition. Covers Ubuntu 22.04!
➡️ ubuntuserverbook.com
🙌 Support me on Patreon and get early access to new content!
➡️ learnlinux.link/patron
☁️ Support LearnLinuxTV and Set up your own cloud server with Akamai Connected Cloud:
➡️ learnlinux.link/akamai
🛒 Affiliate store for Linux compatible hardware/accessories:
➡️ learnlinux.link/amazon
💻 Check out the Tiny Pilot KVM for your Homelab:
➡️ learnlinux.link/tinypilot
Timecodes:
00:00 - Intro
02:32 - Checking if the OpenSSH client is present (Linux)
03:10 - Checking if the OpenSSH client is installed (MacOS)
03:44 - Installing PuTTY (Windows 10)
05:12 - Generating an SSH keypair (Linux and macOS)
08:40 - Testing OpenSSH connectivity (Linux and macOS)
09:30 - Copy the public key over to a remote server (Linux and macOS)
12:09 - Setting up a session for a server in PuTTY for Windows
13:38 - Creating an SSH key pair in Windows with PuTTYgen
15:40 - Using a PEM key to connect to a Linux server via PuTTY in Windows 10
Video Specific Links
💻 Download PuTTY:
➡️ www.chiark.greenend.org.uk/~s...
About Me
🐦 Follow me on Twitter!
➡️ learnlinux.link/twitter
👨 More about me:
➡️ www.jaylacroix.com
➡️ www.learnlinux.tv
Recommended evergreen videos:
💽 How to create a bootable flash drive for installing Linux
➡️ linux.video/flash-usb
🐧 Understanding Linux permissions
➡️ linux.video/perms
🐧 OpenSSH Guide
➡️ linux.video/ssh
📖 LVM Deep-dive:
➡️ linux.video/lvm
🔐 How to better secure OpenSSH:
➡️ linux.video/secure-ssh
☁️ How to create a cloud Linux server with Linode:
➡️ learnlinux.link/create-linode
FAQ
🐧 Which distro do I use?
➡️ learnlinux.link/mydistro
💽 My recording gear (commissions earned):
➡️ learnlinux.link/recording-stuff
#SSH #OpenSSH #Linux - Věda a technologie
AMAZING! This tutorial is perfect! I have been struggling big time with how to generate and share keys. Thanks for covering all platforms.
The SSH client has been a standard part of Windows 10 for quite some time now.
I am very inspired by how much you give back to the linux community. so today I started my own linux blog in my language. not sure how long I will last but I made the first step.
the best professor from the entire internet !!! THANK YOU!!!
This was brilliant, nice and simple.
Thanks for the content!! This helped a lot.
Thank you, Jay.
Thank you jay!
Would be really nice to for you to do a video on SSH User Certificates. They're absolutely superb, and make light work of managing users access to systems via SSH keys.
Just started watching, gotta say I like the new opening, very nicely thought out and done.
Win10 since 1604 i think, also supports SSH in cmd.
Yeah, it is definitely default on my Windows 10. Including ssh-keygen. If you are curious Go to Apps > Optional Features and verify that Open SSH Client is shown as installed. It should be on current versions of Windows 10.
It is helpful and straightforward
Thank you!
Hey Jay! Quick side note. Windows 10 does come with OpenSSH by default now. I forget which update brought it in, but Microsoft ported OpenSSH to Windows. The client is there by default, and you can install the server portion really easily. Just fire up a cmd or Powershell prompt, and ssh wherever you'd like to go. The ssh agent doesn't seem to be working yet, they have that disabled by default. And Windows won't use Pagent, so using keys properly can be quite the nuisance. But, then again, working in Windows in general is just a nuisance. :D
This opens up the ability to manage your Windows servers using Ansible and SSH, rather than Ansible and...shudder...WinRM.
Thank you
Awesome vid
AMAZING...!!!
nice, something that would be cool if you could do a tutorial on is how one can log onto linux via ldap and use groups for giving user sudo access and all that jazz, thanks!
At 14:40, why would one create a notepad file to save the public key if it's available within the PuttyGen when loading back the private key ?
I have put elementary os on my old macbook from 2008 but the keys are completely wrong, do you know how my mac keys(cmd,alt,ctrl) work on elementary os?
Nice video! Can you use the same public key to connect to different servers? Or, can you create multiple pairs for individual servers you connect to?
You can do either... according to your convenience
You can - but I'm going to create a separate video about multiple SSH keys in the future, and I think that video will help everyone understand better how that works. I don't have an ETA yet, but it WILL happen. :)
@@LearnLinuxTV please, cover security concerns in that video
Key management next please ;P
That's absolutely on my list. It may take a bit of time, but I'm going to see if this is something I can get out by the end of October. It's a very important topic to cover for sure. Thanks!
@7:04 -- Setting a passphrase
What would you need to do, if you did set a passphrase, but sometime later, you want to change your passphrase?
Would you need to generate a new key pair, and upload the your new public key, to every server that has your old passphrase?
You should be able to generate a new passphrase for the existing private-key using ssh-keygen -p
@@irfandjokovic5843 Is that all?
Just one command, and all is done? All of the servers will recognize the new key, and all logins to those remote servers will continue to work?
@@NoEgg4u Good question lol. Gonna research the same, let me know if you found anything.
Thx for the video!
Question - do I have to disable password authentication on the ssh server in order for this to work properly?
No... actually key authentication takes higher preference...but if the keys don't match for some reason...ssh reverts back to password authentication. So..in a hypothetical attack situation..it leaves the password to be breached. So.. password authentication is disabled in ssh config file. But..you don't mandatorily need to disable it for key authentication to work.
@@arijitkumarhaldar3197 I understand it is not required, but why would the password authentication option stay enabled to invite possible attacks?
It's recommended to disable password authentication. I have a separate video about that. I'll place a link to that video into the description for this one.
@@yuriw777 Ya..sorry... maybe I wasn't clear about it. You are absolutely right if you are doing that for security reasons. But..if you are just testing out key authentication, then you don't mandatorily need to disable password authentication for key to work. In the long run, it is recommended to disable password authentication altogether.
Winodow 10 Pro has ssh client, and ssh-keygen
Windows 10 *does* include an ssh client by default--just pull up CMD or PowerShell and run ssh user@host, just like in macOS or Linux.
I use powershell based ssh all the time but I am not sure it will remember a private key or a public key unless you will use a very long command for it.
@@Ranblv Powershell and CMD should both be using the same ssh command. You can define what keys it should use in an ssh config file. In most *nix systems, that's going to be /home/youruser/.ssh/config. In Windows, it's c:\Users\youruser\.ssh/config.
I cannot recommend ssh config files enough. Definitely something to have in your toolbox. But just to get started, edit that config file, and put
IdentityFile = C:\Users\youruser\.ssh\yourprivatekey
Save it, close it. Now every time you ssh somewhere, you will use that private key.
Hi jay, I’ve implemented keys to connect to my servers in my lab, but I also make changes to the ssh config file to disable the pw prompt if someone tries to log in. Is that still necessary following this method?
If you're authenticating using public keys, SSH shouldn't prompt for a password. But if you want to prevent users from logging in with a password, instead requiring public key authentication, you'd need to edit the sshd_config.
@AstroCat yes! This is what I’ve always done to lockdown ssh.
It is optional to disable ssh password identification. If you leave it enabled then you can still connect with a password, that is why CZcams videos don't mention it. So people don't lock themselves out and blame the video.
does anyone run into the issue where the password is simply never correct, when you know it is? What is thst caused by?
I have a question about setting up PKA. If you do this, and disable password authentication, then what happens if your laptop blows up or gets stolen? Wouldn't you be locked out of your server forever? If you can only access your server through PKA, and you lose your computer that has the private key on it, then what happens?
The first thing to think about, is whether or not you have the ability to view a console window. For example, many (if not most) cloud providers allow you to connect to the server via some sort of web console, kind of like a web KVM. You can still log in to that with your password, and you can temporarily enable password authentication to copy a new key. Virtualization solutions also allow you to access a console. If it's a physical server, you can plug in a monitor, keyboard, and mouse if it comes down to it. Disabling password authentication doesn't apply to console access, just access via OpenSSH.
@@LearnLinuxTV Thank you.
You should always have a backup. To be more precise, 3 backups. A backup on a second drive, a backup on a second machine and a remote backup, in case of a fire at your home/workingplace.
At 5:45, you mention that ssh-keygen will overide the actual one, if any.
But you don't mention the consequences of that...
If one is already there and you create a new one, is it a problem if you then copy the new key to the server ?
No.. Just so you know what servers/services you need to update with your new key now that your prior key private & public key are gone.
How about to disable the password login ;o)
my kali did not have ssh installed
Is it enough to remove the public key from the authorized_keys file to reverse the process?
Yes
Does not work for me. I did everything correct, but the server still asks for the password. I checked file permissions, checked the config files, basically did everything, but it still does not work. Even chatgpt did not help.
because it is the password for the server, his server 172...
i want a sticker of your logo , so i can stick it to my laptop :D
I'll make a note to start offering that, not sure when it will be ready, but I'll make it happen. I actually want one too. LOL
ssh comes with windows 10 and is usable with powershell
Yup. And I wasn’t aware of that until about two weeks ago. Always something to learn!
@@LearnLinuxTV I was actually using ssh with git bash up until I learned it comes with powershell
Using putty in a world where windows terminal exists...
PuTTY is still a valid solution though. And other methods within Windows are also fair game for stand-alone videos. I'm not done with this topic just yet.
Passwords are fine. This anti-password propaganda is a silly trend in IT.
It's just big-key tryin' to keep us down!
Passwords are fine - until someone actually *tries* to get in.