Single file version available here.
Last updated on 2008-06-06.
To discuss, comment here.
| Next |
Table of Contents
http://sourceforge.net/docman/display_doc.php?docid=761&group_id=1
When using SSH to connect to a remote host, some form of authentication is required. In the context of SourceForge.net, SSH provides two means to authenticate to a remote host: passwords and the use of public key cryptography (SSH keys). The use of passwords is fairly well understood; this document has been created to provide an overview of the second supported authentication mechanism, the use of SSH keys.
SSH key pairs (as with most mechanisms which use public key cryptography) consist of two pieces, a public key and a private key. Your private key contains data which only you should know; this key should be retained on a machine you have direct control over and should not be given to anyone. Your public key will be uploaded to remote hosts to which you wish to connect.
Within public key cryptography, the fundamental idea is that two keys exist, a public key and a private key. The public key is derived from the private key. Messages encrypted against the public key may only be decrypted by those individuals who hold the corresponding private key. Messages signed using the private key may be validated (i.e. you can ensure that the sender holds that private key) using the public key.
Within the SSH key scheme, both the host and the user hold a key pair. When connecting to the remote host, the public key for that host is sent to the user for verification. Data sent from the user to the host is encrypted against the public key for that host; when the data is received by the host, it is decrypted using that host's private key.
When you connect to a remote host, it will check to see if it has a public key on file for your account. If the host does have a public key on file for your account, it will ask your workstation (the connecting machine) whether it holds the corresponding private key. If your workstation does hold the matching private key, your identity will have been confirmed and you will have completed authentication to the remote host. Any data subsequently sent from the host to your workstation will be encrypted with your public key (held by the remote host); when that data is received by your workstation, it will be decrypted using your private key.
The use of SSH keys for user authentication, instead of passwords, provides a number of significant benefits:
SSH comes in two flavors, SSH1 (which uses RSA public key cryptography) and SSH2 (which uses DSA public key cryptography). We recommend the use of SSH2 rather than SSH1, as result of design enhancements in the newer protocol. SSH1 makes use of RSA public keys and SSH2 makes use of DSA public keys. These keys are not interchangeable. The SSH1 and SSH2 protocols function in completely different ways to accomplish similar goals. While most SSH client suites support both the SSH1 and SSH2 protocols, it is important to realize which protocol you are using, from the perspective of using SSH keys. The protocol you choose to use will determine what type of public key pair (RSA or DSA) you will generate.
Each SSH suite provides its own mechanism for key pair generation. Please refer to the documentation which accompanied your SSH client to determine the proper procedure for adding a password to your key.
If you are making use of OpenSSH, you will make use of the "ssh-keygen" utility to generate your key pair. SSH1 (RSA) keys may be generated by executing "ssh-keygen -t rsa1". SSH2 (DSA) keys may be generated by executing "ssh-keygen -t dsa". Additional parameters are available; see the documentation accompanying OpenSSH for details.
If you are making use of PuTTY, a passphrase may be added to your private key file by using the following process:
Most SSH suites provide the means to add a password to your private key. Generally, this may be done either at time of key generation or after-the-fact. Please refer to the documentation which accompanied your SSH client to determine the proper procedure for adding a password to your key.
If you are making use of OpenSSH, a passphrase may be added to your private key file using the following command syntax:
ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
If you are making use of PuTTY, a passphrase may be added to your private key file by using the following process:
Most SSH suites provide the means to add a password to your private key. Generally, this may be done either at time of key generation or after-the-fact. Once a password has been added to your public key file, you may generally remove it, or change it, using the tools provided in your SSH suite. Please refer to the documentation which accompanied your SSH client to determine the proper procedure for changing or removing a password from your key file.
If you are making use of OpenSSH, the passphrase on your private key file may be changed using the following command syntax:
ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
If you are making use of PuTTY, the passphrase on your private key file may be changed using the following process:
The circumstances surrounding the loss or compromise of your SSH key should largely determine your behavior. If your key is compromised, IMMEDIATELY update your SSH key data on the SourceForge.net site and take steps to ensure your project data has not been compromised (check for changes to project content on the shell servers and CVS commits attributed to your user). If you have simply lost your key, simply generate a new key pair and update the key data for your user account to match.