Private and Public keys generation and usage for CentOS

By | February 7, 2020

Public and private key pair is alternative way of server logging using Secure Shell (SSH) protocol. It gives possibility to avoid user name and password prompts so could be faster and more comfortable. Besides both keys represent two long string of characters, so eventually it is more difficult to crack. There are a lot of tools for public and private key generation, Linux ssh-keygen is one of them. Start ssh-keygen command from ~/.ssh directory:


# cd ~/.ssh
# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): id_rsa_666
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_rsa_666.
Your public key has been saved in id_rsa_666.pub.
The key fingerprint is:
cd:58:04:26:9c:f2:93:7f:fa:dd:ac:7a:c2:7f:a8:ed root@root@BAMBOO-400
The key’s randomart image is:
+–[ RSA 2048]—————————–+
|      …o..           |
|     . oo .          |
|     o .  .          |
|      + =            |
|      &bbsp;oS o     |
|       nbsp;. .      |
|         +   .       |
|       nbsp;. oooo.  |
|         .+BEoo      |
+——————————————————————+
#

Now ~/.ssh directory contains 2 new files, one for private key (id_rsa_666) and another for public one (id_rsa_666.pub):


# ls *666*
id_rsa_666 id_rsa_666.pub

Now we need to copy public key file content to remote machine. It is possible to do using ssh-copy-id or simply copy content of id_rsa_666.pub and paste it into authorized_keys file of specified used on remote 10.19.30.191 machice:


# ssh-copy-id -i id_rsa_666.pub administrator@10.19.30.191
The authenticity of host ‘10.19.68.191 (10.19.68.191)’ can’t be established.
RSA key fingerprint is ac:2e:e4:98:92:df:78:99:fa:13:74:c2:89:ff:6e:32.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘10.19.68.191’ (RSA) to the list of known hosts.
administrator@10.19.30.191’s password:
Now try logging into the machine, with “ssh ‘administrator@10.19.30.191′”, and check in:

    .ssh/authorized_keys

to make sure we haven’t added extra keys that you weren’t expecting.

Check that new record was added to /home/administrator/.ssh/authorized_keys file on 10.19.30.191 machine


# cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2fXUvNunHyGbs1R1oGGuWEWsT3mCocraoDc2jp2dn8+AAz+LNyN5sjo2bdTzQS5tJMbvScCWV+AcFxa7TX+T8Mn6H31nHhfMHQPR87yuX60H3F1Bqd4dDDkYXlPwfP1gWX+CMLHlKf6EiaNcp5DkUngupamUX8Docj3IFFGCy9U/sfYL75vH1hw2FapO1/9nJvUhON/vxPBwTNQIzLmPccfe9YoiSUKTwjEi1nTGwzYNfoWilXw66sAqQ5TbtbzheoMRd4bzAaZSS/xSV7rF+ZLZ3K4RjcNxcVSljn0sq+Y3TM+4pss7WATWPcU+VSWHLP/n/gJEdcsI0yyLkPRPt root@192.168.3.1
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAzfNV5FH6WBjWHlFdsyHLt4qzCaXpYXy9K8ZMrsY3/2tFbkRq4X3Vk2v0ti0jW8iJwf+ip4nqmJ/XOE5TZkIC3geXmnPCGYioh4eUy5cU2r0WVjUqL5HsZFxfmhOSpD4/G0Zywopn8Eil35cH3AapBHajxgqYQJuZvRxlDP491vc9CNpFd7oCm+ss3lIy0cWMoccStf9TDxUWa+om0p2CmBn7PYS+yzp5mfD0HlisNbbdWPSahbAslac0uw2bA5xX45u3OCxxOit9zN8OFZWtVLMmQ03nwBPWYMhXsordRIbQlVJd/uJ7tE1bvPvCMN+UpZCvhyDGi+92pSm7cyOYHw== root@BAMBOO-400

and this record corresponds to id_rsa_666.pub content on BAMBOO-400 machine

Now it is ready for testing.
However i does not work, still ask for password:


# ssh administrator@10.19.68.191
administrator@10.19.68.191’s password:

To find the problem start ssh client in verbose mode:


# ssh -v administrator@10.19.68.191
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /root/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 10.19.68.191 [10.19.68.191] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa_rc_35pft type -1
debug1: identity file /root/.ssh/id_rsa_rc_35pft-cert type -1
debug1: identity file /root/.ssh/id_rsa_rc_412zl type -1
debug1: identity file /root/.ssh/id_rsa_rc_412zl-cert type -1
debug1: identity file /root/.ssh/id_rsa_rc_f1tb8 type -1
debug1: identity file /root/.ssh/id_rsa_rc_f1tb8-cert type -1
debug1: identity file /root/.ssh/id_rsa_rc_ifmdn type -1
debug1: identity file /root/.ssh/id_rsa_rc_ifmdn-cert type -1
debug1: identity file /root/.ssh/id_rsa_rc_lryd0 type -1
debug1: identity file /root/.ssh/id_rsa_rc_lryd0-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha2-256 none
debug1: kex: client->server aes128-ctr hmac-sha2-256 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<4096<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host '10.19.68.191' is known and matches the RSA host key. debug1: Found key in /root/.ssh/known_hosts:4 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Trying private key: /root/.ssh/id_rsa_rc_35pft debug1: read PEM private key done: type RSA debug1: Authentications that can continue: publickey,password debug1: Trying private key: /root/.ssh/id_rsa_rc_412zl debug1: read PEM private key done: type RSA debug1: Authentications that can continue: publickey,password debug1: Trying private key: /root/.ssh/id_rsa_rc_f1tb8 debug1: read PEM private key done: type RSA debug1: Authentications that can continue: publickey,password debug1: Trying private key: /root/.ssh/id_rsa_rc_ifmdn debug1: read PEM private key done: type RSA debug1: Authentications that can continue: publickey,password debug1: Trying private key: /root/.ssh/id_rsa_rc_lryd0 debug1: read PEM private key done: type RSA debug1: Authentications that can continue: publickey,password debug1: Next authentication method: password administrator@10.19.68.191's password:

Our private key file is id_rsa_666:


# ls -l
total 40
-rw——-. 1 root root 816 Feb 3 12:15 authorized_keys
-rw——-. 1 root root 180 Aug 20 16:10 config
-rw——-. 1 root root 1743 Feb 4 13:10 id_rsa_666
-rw-r–r–. 1 root root 402 Feb 4 13:10 id_rsa_666.pub
-rw——-. 1 root root 1674 Jul 11 2019 id_rsa_rc_35pft
-rw——-. 1 root root 1678 Jul 12 2019 id_rsa_rc_412zl
-rw——-. 1 root root 1674 Jul 12 2019 id_rsa_rc_f1tb8
-rw——-. 1 root root 1674 Jul 16 2019 id_rsa_rc_ifmdn
-rw——-. 1 root root 1674 Aug 20 16:10 id_rsa_rc_lryd0
-rw-r–r–. 1 root root 1571 Feb 6 15:27 known_hosts

but ssh tries all private keys files except id_rsa_666:


debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/id_rsa_rc_35pft
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /root/.ssh/id_rsa_rc_412zl
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /root/.ssh/id_rsa_rc_f1tb8
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /root/.ssh/id_rsa_rc_ifmdn
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /root/.ssh/id_rsa_rc_lryd0
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: password

It is because id_rsa_666 file is not presented in ~/.ssh/config file. Open this file in text editor:


IdentityFile ~/.ssh/id_rsa_rc_35pft
IdentityFile ~/.ssh/id_rsa_rc_412zl
IdentityFile ~/.ssh/id_rsa_rc_f1tb8
IdentityFile ~/.ssh/id_rsa_rc_ifmdn
IdentityFile ~/.ssh/id_rsa_rc_lryd0

and add the following string at the and:


IdentityFile ~/.ssh/id_rsa_666

Now start ssh client again:


# ssh -v administrator@10.19.68.191
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /root/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 10.19.68.191 [10.19.68.191] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa_rc_35pft type -1
debug1: identity file /root/.ssh/id_rsa_rc_35pft-cert type -1
debug1: identity file /root/.ssh/id_rsa_rc_412zl type -1
debug1: identity file /root/.ssh/id_rsa_rc_412zl-cert type -1
debug1: identity file /root/.ssh/id_rsa_rc_f1tb8 type -1
debug1: identity file /root/.ssh/id_rsa_rc_f1tb8-cert type -1
debug1: identity file /root/.ssh/id_rsa_rc_ifmdn type -1
debug1: identity file /root/.ssh/id_rsa_rc_ifmdn-cert type -1
debug1: identity file /root/.ssh/id_rsa_rc_lryd0 type -1
debug1: identity file /root/.ssh/id_rsa_rc_lryd0-cert type -1
debug1: identity file /root/.ssh/id_rsa_666 type 1
debug1: identity file /root/.ssh/id_rsa_666-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4
debug1: match: OpenSSH_7.4 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-sha2-256 none
debug1: kex: client->server aes128-ctr hmac-sha2-256 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<4096<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host '10.19.68.191' is known and matches the RSA host key. debug1: Found key in /root/.ssh/known_hosts:4 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Trying private key: /root/.ssh/id_rsa_rc_35pft debug1: read PEM private key done: type RSA debug1: Authentications that can continue: publickey,password debug1: Trying private key: /root/.ssh/id_rsa_rc_412zl debug1: read PEM private key done: type RSA debug1: Authentications that can continue: publickey,password debug1: Trying private key: /root/.ssh/id_rsa_rc_f1tb8 debug1: read PEM private key done: type RSA debug1: Authentications that can continue: publickey,password debug1: Trying private key: /root/.ssh/id_rsa_rc_ifmdn debug1: read PEM private key done: type RSA debug1: Authentications that can continue: publickey,password debug1: Trying private key: /root/.ssh/id_rsa_rc_lryd0 debug1: read PEM private key done: type RSA debug1: Authentications that can continue: publickey,password debug1: Offering public key: /root/.ssh/id_rsa_666 debug1: Server accepts key: pkalg ssh-rsa blen 277 debug1: PEM_read_PrivateKey failed debug1: read PEM private key done: type
Enter passphrase for key ‘/root/.ssh/id_rsa_666’:

id_rsa_666 is visible now, and instead of password the ssh clien asks for passphase, enter passphase you used during private/public keys generation to continue the first time login process:


debug1: read PEM private key done: type RSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Last login: Thu Feb 6 16:10:05 2020 from 192.168.1.14

Exit from ssh session:


$ exit
logout
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
debug1: channel 0: free: client-session, nchannels 1
Connection to 10.19.68.191 closed.
Transferred: sent 6648, received 5592 bytes, in 63.3 seconds
Bytes per second: sent 105.0, received 88.4
debug1: Exit status 0
[root@BAMBOO-400 .ssh]#

Connect to server agian, if you are still asked for passphrase do the following:


eval `ssh-agent -s`
ssh-add ~/.ssh/id_rsa_666
Enter passphrase for /root/.ssh/id_rsa_666:
Identity added: /root/.ssh/id_rsa_666 (/root/.ssh/id_rsa_666)
[root@@BAMBOO-400 .ssh]#

Currently it is possible login to 10.19.68.191 without passphase:


# ssh administrator@10.19.68.191
Last login: Fri Feb 7 09:32:00 2020 from 10.199.30.123
[administrator@localhost ~]$

Leave a Reply

Your email address will not be published. Required fields are marked *