Differences
This shows you the differences between the selected revisions of the page.
| ssh_keys 2023-02-11 | ssh_keys 2024-07-17 (current) | ||
| Line 1: | Line 1: | ||
| - | PuTTY-User-Key-File-2: ssh-rsa | + | ====== Understanding SSH Key Pairs ====== |
| - | Encryption: none | + | In every SSH/SFTP connection, there are four keys (or two key pairs) involved. This article explains the difference between them and what keys an %%SFTP%% client user needs to care about. |
| - | Comment: hassan | + | |
| - | Public-Lines: 6 | + | The %%SSH%% employs public key cryptography. A [[wp>Public-key_cryptography|public-key cryptography]], also known as asymmetric cryptography, is a class of cryptographic algorithms which requires two separate keys, one of which is secret (or private) and one of which is public.((&wikipedia_ref(Public-key_cryptography|Public-key cryptography))) Together they are known as a key pair. In %%SSH%%, the public key cryptography is used in both directions (client to server and server to client), so two key pairs are used. One key pair is known as a host (server) key, and the other is a user (client) key. |
| - | AAAAB3NzaC1yc2EAAAABJQAAAQEAo4nCb/HqM4jj+0nMJ2LC6CP6MuFQGfYhMOTZ | + | |
| - | gi1fzBckdbayv5zAQqihwFOHzQ+cUmfS0MqN844N/qaABWALIWSHFAFvNDeFUdP6 | + | ===== User Private Key ===== |
| - | wLPouNFICSMekDQUVAYf+uzN7QXXAFjasWKjisr8DKxb5CgvPoLdIDlzITWZuBSW | + | A //user private key// is a key kept secret by the %%SSH%% user on his/her client machine. The user must never reveal the private key to anyone, including the server (server administrator), not to compromise his/her identity. |
| - | QhlfxJQ9ZeSmXc5HwYwRJI2AxejjriRas4ffM8aSpd4vCqcmL6xaIrokxWRstcRa | + | |
| - | IRMTxOigE0wxmjwE9lLnrgmv6dJKUaHCmjU64gjVH1sMWL/sKBMF7Z5UFzcTq5tG | + | To protect the private key, it should be generated locally on a user's machine (e.g. using [[ui_puttygen|PuTTYgen]]) and stored encrypted by a passphrase. The passphrase should be long enough (that's why it's called passphrase, not password) to withstand a [[wp>Brute-force_attack|brute-force attack]] for a reasonably long time, in case an attacker obtains the private key file. |
| - | 5IxvR7sy8GIZ3kRaOGxhiWHESyfS4L3oBXvehV08WmMfeWuV6w== | + | |
| - | Private-Lines: 14 | + | Different file formats are used to store private keys. WinSCP supports PuTTY format, with the ''.ppk'' extension. |
| - | AAABAGoUKxguNwyr0iZ1Ds1wfm0QavCSJh6tfVAlvYTfKWHJ0nXeSm5zg6DcFeSJ | + | |
| - | NX4X9rH+J+Fgysd+vPg0phFTDiN/ejZ9eJCSt1esGEWlIVVJetV+kF2JkKU0Z8Vb | + | ===== User Public Key ===== |
| - | VSQfdrQd9aN+QJFhEjG76JP+Y9WFUSmouWGmOjI23gFckSWPjAre80H2ahoPHawF | + | A user public key is a counterpart to //user private key//. They are generated at the same time. The //user public key// can be safely revealed to anyone, without compromising user identity. |
| - | tCOVY9wNcFsndm+ldF2s/CmYAD/+HIanu7FzVkrpFgzlqHsny1476jN1zfoOO8Xb | + | |
| - | 7U4DyXkQS2IC5es3caKWsndgDOEjplVoEzZB/2UTNZsBe32+atvSvDdMcdUAvlrM | + | To allow user authorization on a server, the user's public key is registered on the server. In the most widespread %%SSH%% server implementation, the OpenSSH, file ''~/.ssh/authorized_keys'' is used for that. |
| - | KvDhjJ3zi96+RET1ZWyiuQk7jy0AAACBAN+Vp0a3JzOLGpTHueg752iulu/ohzcy | + | |
| - | +w1vDb3GPkFQ8rkyLA9wfbrFIawfdkH7gZMXBAjRkhzfRpbgfQHoZEYOpLoaSjc9 | + | //Learn more about [[public_key|public key authentication]] in general and how to [[guide_public_key|setup authentication with public keys]].// |
| - | DtarifoopPQEdRUPUAvjjUfAPwObmjj1WEbLUt6l8ZyQO+4vgQlzDlYg6O2ybFfE | + | |
| - | qsQJs4xPMf7JAAAAgQC7P3r99kswo5ounkrNfdCBDE4IPnkmv1cce7sXLvPkfBHf | + | ===== Host Private Key ===== |
| - | oPYpTf+M59CsAxAYtjReIFZ1Dqmf4DZfUdmgKSgtqFk+83vhL68vQ9NpuBGO8zGl | + | A //host private key// is generated when the %%SSH%% server is set up. It is safely stored in a location that should be accessible by a server administrator only. The user connecting to the %%SSH%% server does not need to care about //host private key// in general. |
| - | xU3VQAQM2jP7T0/tRd1cvNUDuGeOKnn4jeX4pL3D9v2CsP+IK7gmnooLO/3FEwAA | + | |
| - | AIEAl2+HKaQ8VPIR58cmCSRKzZR3flSZMf2Cl5/mtI4rmoF01G5biQA/4ee3y7sU | + | ===== Host Public Key ===== |
| - | VHcvB1p2jl/YFlpmwZCG6vIhj9qb3R+TrtX0QetnAOovDJDZXOhwBl48yR7VYopk | + | A //host public key// is a counterpart to //host private key//. They are generated at the same time. The //host public key// can be safely revealed to anyone, without compromising the host's identity. |
| - | 206XabgpPy3qgV2lKla9CCe4FMw2ZcjCdgYNq+bQly2IPpQ= | + | |
| - | Private-MAC: 35d8b1b5a8a0a05985c8a1f4d67ff31bbc08f3d5 | + | To allow authorizing the host to the user, the user should be [[faq_hostkey|provided with host public key in advance]], before connecting. The client application typically prompts the user with //host public key// on the first connection to allow the user to [[ssh_verifying_the_host_key|verify/authorize the key]]. The //host public key// is then saved and verified automatically on further connections. The client application warns the user if the host key changes. |