Questions about SSH Public-Key Authentication

Discussion in 'Mac Basics and Help' started by doubledee, Feb 16, 2015.

  1. doubledee, Feb 16, 2015
    Last edited: Feb 16, 2015

    doubledee macrumors 6502

    doubledee

    Joined:
    May 14, 2012
    Location:
    Arizona
    #1
    To protect my VPS during uploads, I would like to use a Public/Private Key Pair instead of using a password.

    I have spent the last few hours researching this topic, including reading the OS-X Man Pages, but that has just left me with more questions!

    Questions:

    1.) How do I create Keys that are for SSH-2?

    2.) What Encryption Scheme is most secure?

    3.) I assume I want to use 2048-bits, right?

    4.) I saw some tutorials that include a Hostname or Email. Can someone explain how that works?

    5.) In general, what do I need to do to provide the most security?

    Thanks,


    Debbie
     
  2. mfram macrumors 65816

    Joined:
    Jan 23, 2010
    Location:
    San Diego, CA USA
    #2
    SSH is primarily used by people that use the Unix shell. Is that really what you're using, or did you just hear to 'use SSH' without really understanding what that means? If you are not comfortable with using a Unix shell, you probably shouldn't be thinking about SSH.

    Maybe SSH is the correct solution for you. Maybe it's not. There are other alternatives as well. Such as using a VPN to connect to the network you're trying to get to and using other file transfer options.

    There are SSH tutorials out there on the Internet. Just Google for them. The fact those tutorials are probably using Linux instead of Mac probably isn't significant. SSH works basically the same on Mac than it does on Linux.

    You use the command 'ssh-keygen' to create a private/public key pair for SSH. The default parameters should be fine for you. Then you have to transfer your public key to the target system and set that key to be authorized for your account. The details on that transfer depend on what kind of system you are trying to authenticate to.

    If you want security on the SSH connection, I would use 'aes256-ctr' as the stream cipher for the SSH link.

    Once ssh is working, you can use rsync to transfer a directory tree from your system to the remote system assuming it's a Unix-based system. rsync operates over ssh by default. Thus, the file transfer would be secure.
     
  3. doubledee thread starter macrumors 6502

    doubledee

    Joined:
    May 14, 2012
    Location:
    Arizona
    #3
    Great, discourage a newbie. YES, I am talking about SSH and YES I need to use it to manage my VPS!


    But I didn't ask about "default" settings in my OP...


    How does that relate to the type?


    Maybe some day I can learn rsync, but for now I plan on using CyberDuck.


    Debbie
     
  4. phrehdd macrumors 68040

    phrehdd

    Joined:
    Oct 25, 2008
    #4
    Debbie, have you reviewed SFTP with Cyberduck?

    I am not sure what you are trying to accomplish -

    Secure the connection, secure (encrypt) the files or ... ?

    SFTP is not uncommon for file transfers that require some facets of security.
     
  5. doubledee thread starter macrumors 6502

    doubledee

    Joined:
    May 14, 2012
    Location:
    Arizona
    #5
    I'm trying to *properly* set up SSH Public/Private Keys to authenticate my MBP using CyberDuck with my VPS...

    And using the defaults from ssh-keygen is NOT good enough for me!

    Sincerely,


    Debbie
     
  6. phrehdd macrumors 68040

    phrehdd

    Joined:
    Oct 25, 2008
    #6
    have you considered perhaps something like OpenPgP
     
  7. theluggage macrumors 68030

    Joined:
    Jul 29, 2011
    #7
    Code:
    ssh-keygen -t rsa
    
    - as described in every tutorial out there. -t rsa implies SSH v2.
    It's the default for ssh_keygen.

    The user/hostname gets tagged onto the end of the public key - this is just a comment for reference and has no significance.

    When you log in via SSH with a public key, it will keep track of the actual hostname and public key in a file .ssh/known_hosts and warn you when connecting to an unknown host or a host who's public key has changed.

    You can potentially disable Telnet (although that's rarely enabled these days) and regular FTP on the VPS and (once you have a connection established) change sshd_config to only enable public-key logins. Be careful you don't lock yourself out or break your VPS control panel, though! If its a commercial VPS then you might not be able to eliminate password-based logins to the control panel.

    ...then hire a security consultant, because the ssh-keygen defaults are unlikely to be the weakest link in your system.
     
  8. 556fmjoe macrumors 65816

    Joined:
    Apr 19, 2014
    #8
    ssh-keygen's default is 2048 bit RSA (version 2), so you don't need to do anything if you want 2048 bit keys. If you want larger keys, invoking ssh-keygen with the -b flag followed by the keysize will give you what you want. The -t flag will give you a different asymmetric cipher, such as ECDSA.

    SSH will look for its config file in ~/.ssh/config. If there is no such file, it will read the system wide config file at /etc/ssh/ssh_config to get the symmetric cipher preferences, then attempt a connection using those ciphers in order. The default symmetric cipher order begins with aes-128-ctr, aes-192-ctr, aes-256-ctr (with many others following those). This is secure and fast enough for just about all uses. If you are trying to improve security by changing the symmetric cipher, you are attacking the wrong problem.


    The most important thing you should do for security when using public key authentication is defend your private keys. That means securing the rest of your system so that nobody can steal them, and securing your machine when you are not physically present at it so that nobody can walk up to it and connect to your remote SSH server.
     
  9. doubledee thread starter macrumors 6502

    doubledee

    Joined:
    May 14, 2012
    Location:
    Arizona
    #9
    Okay, I wasn't sure on that when I originally posted.



    From what I have read, "rsa" would be the most secure.


    You lost me on this one...

    I thought the switch -t specified the "type" (e.g. dsa, rsa, ecdsa)?

    The Apple Developer Man Pages say...

    So what is all of this stuff...


    I followed nearlly all of the advice on hardening a Mac when I bought my MBP two years ago, so I think I am covered there.

    Plus, with SSH Public Key Authentication I can protect the Private Key with a secure passphrase - as opposed to those fools at FileZilla that put your credentials out in the open!! :rolleyes:

    Thanks,


    Debbie
     
  10. mfram macrumors 65816

    Joined:
    Jan 23, 2010
    Location:
    San Diego, CA USA
    #10
    The public-key part of SSH is only used for authentication so that the server knows you are allowed to connect. I don't know what a "VPS" is, so I can't tell you how to configure it to allow your key. You create the private/public key pair for authentication and copy your public key to the system you want to authenticate to. The private key stays on your computer. It is your 'identity' and the file is called that.

    Once you authenticate to the server, the SSH protocol does a key exchange to create the key used during your session to protect your data. After that, steam protocols like AES take over. That is the algorithm that actually protects your data. Protocol 'aes256-ctr' is probably the safest algorithm to use among the choices in the sense that it is the most studied protocol and is considered secure.

    The system crypto design in SSH is a different design that public/private key systems like PGP. The designs are different because they have different assumptions about how they are being used.
     
  11. doubledee thread starter macrumors 6502

    doubledee

    Joined:
    May 14, 2012
    Location:
    Arizona
    #11
    Virtual Private Server...


    So what would be the syntax to use "rsa (SSH-2)" and "aes256-ctr"??

    This is the syntax I have settled on so far...
    Code:
    ssh-keygen -t rsa -b 4096
    
    Sincerely,


    Debbie
     

Share This Page