Generation of SSH keys

1. Check existing keys

Before creating a new ssh key pair, you should check if you already have any so that you do not overwrite them.

[user@host ~]$ cd ~/.ssh

[user@host .ssh]$ ls -al id_*
-rw------- 1  user  user  1679 jul   3  2007 id_rsa
-rw-r--r-- 1  user  user   389 jul   3  2007 id_rsa.pub
[user@host .ssh]$ 

Here you find old RSA keys, these should be replaced by newer ed25519 keys. The old keys can be left there until you are sure that everything works with new ones, and possibly copied or moved to a subfolder if needed later.

2. Generere moderne ed25519-nøkkel

ed25519 keys have several advantages over the old RSA keys. They are:

• More secure
• Smaller
• Faster to both generate and verify

Keys are most easily generated on the command line on a macOS or Linux machine.

In this process, it is worth noting that "passphrase" should be set to a passphrase that is at least as secure as your password. "-a 100" is the number of rounds the key is encrypted, default is 16 rounds. 100 rounds makes it harder to crack a stray private key.

You can also choose a different file name if you e.g. want to have a separate key for individual machines or services. If you want a key for testing, you can name this /home/user/.ssh/id_ed25519_test etc.

[user@host ~]$ ssh-keygen -C "Min nøkkel 2021-07-03" -a 100 -t ed25519
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/user/.ssh/id_ed25519): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/user/.ssh/id_ed25519.
Your public key has been saved in /home/user/.ssh/id_ed25519.pub.
The key fingerprint is:
SHA256:VaN5d/O1LgJYXRozuMWVNmf7GR0rNw0wHj6iqN2Snq8 Min nøkkel user 2021-07-03
The key's randomart image is:
+--[ED25519 256]--+
|          o+B+.  |
|         ..O*B.+ |
|         .Bo* =oO|
|       .o+ o + BB|
|      ..S.    o.*|
|     o o  .   ...|
|    . + .  . . . |
|     . o    . .  |
|      Eo.        |
+----[SHA256]-----+
[user@host ~]$ cd ~/.ssh 
[user@host .ssh]$ ls -al id_*
-rw-------  1  user  user  1679 jul   3  2007 id_rsa
-rw-r--r--  1  user  user   389 jul   3  2007 id_rsa.pub
-rw-------  1  user  user   444 Aug  10 13:20 id_ed25519
-rw-r--r--  1  user  user    86 Aug  10 13:20 id_ed25519.pub
[user@host .ssh]$ cat id_ed25519.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH9kFmr...... Min nøkkel user 2021-08-10
[user@host .ssh]$

It is the entire line "ssh-ed25519 AA.... 2021-08-10" that should then be copied into authorized_keys and other places where the ssh public key should be entered.

Note: ssh keys used must always be protected with a passphrase. Exceptions must be risk assessed and approved by IT security.

3. Place restrictions on the use of the key

3.1 Limit use from only one machine or one ip range

If the fixed key is only used from one machine or from some machines, restrictions can be entered in authorized_keys on the machine one logs on to. This reduces the risk of misuse if the private key goes astray.

For example - if you want the generated key to be used only from a host named workstation123.uio.no or only from a certain ip range, it can be done like this in a .ssh/authorized_keys file:

from="workstation123.uio.no" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI...

To limit the use only from a given IP range can be done as follows:

from="192.168.0.0/24" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI...

Note: if permission has been given for the key to be used without a passphrase, for example in scripts or other automation, there is a requirement with such a restriction.

3.2 Limit usage to run only one specific command

If you want the key to only be used to run one given command, this can be limited as follows:

command="/usr/bin/test" ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAI...

3.3 More restrictions on the key

You can add more restrictions if you wish:

no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-user-rc

This is not always necessary, but can be used as an additional security mechanism if you have a key that is only to be used for one specific purpose.

4. Copy key to new machine

If you want to use the key to log in to a machine, you can either copy the line with "ssh-ed25519 AA.... 2021-08-10" manually into .ssh/authorized_keys of the user and machine you are going to log in - or you can use ssh-copy-id

[user@host ~]$ ssh-copy-id user@server

Note: at UiO, as a general rule, you should not use ssh keys to switch from one user to another. That is you should not use your ssh key to log in directly as root from your primary user.

5. Log on to machine with a specific key

In case you have several ssh keys, it may be desirable to log in with a particular one of them. If you e.g. have a key called id_ed225519_private and want it to be used, it can be done like this:

[user@host ~]$ ssh -i .ssh/id_ed25519_privat user@server

Note: If things don't work, or behave differently than expected - try adding a -v or a -vv and you'll get debug information about what's going on.

6. Change passphrase on key

If you want to change the passphrase on a key, it can be done with ssh-keygen like this:

[user@host ~]$ ssh-keygen -p -f .ssh/id_ed25519

7. Cleaning up keys

It may be a good idea to note which machines and systems you leave the public part of the key with. If one were to lose the private part of the key, or change job or position - keys must be cleared away.

Keys are cleared by deleting the line from .ssh/authorized_keys

8. Tips and tricks

A very common error when setting up SSH keys is that the wrong permissions are set on the files.

There are a number of other options that can be entered in authorized_keys as well, see here:

authorized_keys File Format

It is worth noting that normally the user will have access to change authorized_keys, so you cannot use these as a security mechanism without further ado.