Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Understanding ssh key pair
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Understanding ssh key pair

I am trying to generate SSH keys so I don't have to login to my VPS using password. I looked at some tutorials and they ask to run this command ssh-keygen on local machine so a key pair can be generated.
This doesn't make any sense as to why I have to generate ssh keys on local machine and not remote machine to which I want to connect? Doesn't Oracle cloud work the same way i.e. when you create a new VM then it provides you with private key. You download that key on your local machine to connect to Oracle VM.

So shouldn't I be generating keys on remote VPS then download private key to connect?

Besides all those tutorials are for Linux and some of the commands are not available on Windows such as ssh-copy-id so I had to manually copy public key from local machine to remote VPS in authorized_key but seems it didn't work because when I did cat authorized_key then it was empty.

Comments

  • yoursunnyyoursunny Member, IPv6 Advocate

    Install Git for Windows and you'll have many Linux commands on Windows.

    Thanked by 3Chuck alilet nyamenk
  • You can generate a keypair on a server, but it's generally not recommended.

    My advice would be to generate a keypair on your local system so your private key does not even leave your local system, whereas when you download the private part from the server the key goes over the internet. Not really a huge concern in my opinion, but it's a consideration to make.

    If you generate on local system, copy the public key and paste this in the file ~/.ssh/authorized_keys. Make sure the file has the correct permissions: chmod 0600 ~/.ssh/authorized_keys.

    If you copy the public key and paste it in the authorized_keys file and you check that file and it's not there, you're doing something wrong.

    Thanked by 1alilet
  • @alilet said:
    This doesn't make any sense as to why I have to generate ssh keys on local machine and not remote machine to which I want to connect?

    In a key pair there is a "private" key and a "public" key. The private key, ideally, is one that is created, stored, and restricted to a system where you can be most confident that no unauthorized person would ever gain access to it. Depending on your level of paranoia, this could even be on a system that is effectively unreachable or inaccessible to anyone, but you you (e.g., an air gap separates the hardware to any other network or device).

    In practice, many people create a single key pair this way, so you may never need to do this again as long as your secret key is reasonably safe. Then you can put your public key on all your remote systems.

    If you do as you suggest, then you create a unique key pair on each system that wouldn't be the worst thing in some circumstances, but it is probably both unnecessary and potentially problematic. You certainly would not want to re-use that key pair on other systems, since anyone who has or gains access to one system can then potentially gain access to all of them.

    Besides all those tutorials are for Linux and some of the commands are not available on Windows such as ssh-copy-id so I had to manually copy public key from local machine to remote VPS in authorized_key but seems it didn't work because when I did cat authorized_key then it was empty.

    Most likely you should be putting your public key in ~/.ssh/authorized_keys.

    Thanked by 1alilet
  • @alilet said:

    This doesn't make any sense as to why I have to generate ssh keys on local machine and not remote machine

    Many people use the same keypair to connect to multiple different servers. The private key is a sensitive secret. When you generate it on a remote server your provider is able to view it (as well as hackers, data breaches etc) so the best practice is to generate your keypair on local machine.

    Thanked by 1alilet
  • @jtk said:

    @alilet said:
    This doesn't make any sense as to why I have to generate ssh keys on local machine and not remote machine to which I want to connect?

    In a key pair there is a "private" key and a "public" key. The private key, ideally, is one that is created, stored, and restricted to a system where you can be most confident that no unauthorized person would ever gain access to it. Depending on your level of paranoia, this could even be on a system that is effectively unreachable or inaccessible to anyone, but you you (e.g., an air gap separates the hardware to any other network or device).

    In practice, many people create a single key pair this way, so you may never need to do this again as long as your secret key is reasonably safe. Then you can put your public key on all your remote systems.

    If you do as you suggest, then you create a unique key pair on each system that wouldn't be the worst thing in some circumstances, but it is probably both unnecessary and potentially problematic. You certainly would not want to re-use that key pair on other systems, since anyone who has or gains access to one system can then potentially gain access to all of them.

    Besides all those tutorials are for Linux and some of the commands are not available on Windows such as ssh-copy-id so I had to manually copy public key from local machine to remote VPS in authorized_key but seems it didn't work because when I did cat authorized_key then it was empty.

    Most likely you should be putting your public key in ~/.ssh/authorized_keys.

    Great! now I understand. I know about private/public keys and how they work but didn't know the difference between creating keys on remote machine vs local one when using ssh.

  • FFS, if your tutorial didn't say to use PuTTyGen on Windows, get a new tutorial.

    Thanked by 1AndrewL64
Sign In or Register to comment.