How do SSH keys work?
An SSH key actually consists of a pair of keys: public and private. A public key can be thought of as a lock on a door that fits only a single key, while the private key is the key that fits the lock. Just as with a physical key, a private key should be protected and kept out of others' hands.
SSH keys are far more secure than username and password because they rely on strong cryptography to ensure that you are who you say you are. Using only username and password to login allows an attacker to "brute-force" login to your account, by trying to guess your password. Due to the number of possible combinations, it is essentially impossible for an attacker to guess your private key.
You can further increase the security of your SSH key by adding a passphrase to it. This creates a second authentication factor and means that even if your key falls into the wrong hands, an attacker would still need to know your passphrase. This is true two-factor authentication and is extremely secure as a result.
How does JumpCloud help with SSH key management?
Whether there are single or multiple key pairs that need to be distributed to one or more systems, JumpCloud allows one or more public keys to be stored with user in the JumpCloud directory. That public key will be distributed to any system to which the user is bound. If the system has public key authentication enabled, that authentication method will be attempted when the user connects to the system via SSH.
WARNING: Never place a private key in JumpCloud. Not only will it not work, but you should always be careful where you place your private keys. Anyone who can obtain your private key can login to all the machines you can!
Here's how we recommend setting up your SSH keys with JumpCloud:
- Generate a private-public SSH key pair on whatever host you're going to use to login to other remote hosts. This usually means your local desktop or laptop. You would generate a new key pair for any machine you want to use to login to other remote hosts, for example, if you had a work machine and a home machine, and you need to log in from both machines.
- Leave the private key local to the host that generated it, and avoid moving it around (since you don't want it to fall into the wrong hands).
- Upload the public key part of the key pair(s) you've generated to your JumpCloud user account (via the Users tab in the Administrator console, or into the User Portal).
This method works for Linux and Mac at the command line. However, since there are multiple SSH client programs (such as PuTTY on Windows), there is generally a different method in those programs.
- Open a terminal window on either your Linux or Mac desktop/laptop
- Run the command,
ssh-keygen -t rsaand enter a file name in which to save the key, and enter a passphrase if you like (or hit enter for a blank one).
$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/auser/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/auser/.ssh/id_rsa. Your public key has been saved in /home/auser/.ssh/id_rsa.pub. The key fingerprint is: 89:97:39:3c:79:10:fb:31:c6:66:6b:fa:cf:1f:4c:e9 firstname.lastname@example.org The key's randomart image is: +--[ RSA 2048]----+ | . | | + | | o B | | o @ + . | | . S = o | | . * + | | . E | | . . . | | ..o.. | +-----------------+
- The private and public key will now be in the path specified, in this case,
/home/auser/.ssh/. It will need to be uploaded to JumpCloud. Copy the contents of the file:
$ cat .ssh/id_rsa.pub ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN767BQgHWR6jbCRara6f1hH5r5mPARWP7+Mqom5Yxgw87sNm/R2dJvpbmNqtBa2Av68QJS4jrhgtecQxXO0mWi+mkdlny9tlkYqYQU/y6WKSNij7UOrlMpFm3+N8BUwacPrRdN7akaO9vuSUhybdFL+eHRGN/BMmIiTEpv5qumSrS5XQlFaeMLvY8xRhuhtnPXWrcidjlaXX6+yR0g3ahLP4zlDqh+PJaWGrl2yA07yXFHMtloIPKeB6BU6NGOpj0QvB9+p2SvC2zCKHG+lF4cXLSXxv4PWxusY5NnHnLTVPY8y3hH84tkflvml77dF4OPc74gO8VRUTYx0r9pRBd email@example.com
- A JumpCloud Administrator can add the public key to the user in the administrator console by going to the user details and selecting 'Add new public key' at the bottom of the details tab. Name the key and paste the contents of the id_rsa.pub file generated above and save.
- A JumpCloud system user can also self-service by adding their public key to their own account in the User Portal by logging in, selecting Security and the + next to 'SSH Keys'. Name the key and paste the contents of the id_rsa.pub file generated above and save.
In order to configure a system to allow for SSH key authentication through JumpCloud, additional configuration must occur at the systems level.
- Open the Systems' details side panel
- Select 'Public Key Authentication'
- Click save system
Note: Selecting multiple authentication methods
- If multiple authentication methods are selected (password authentication and public key), users will be required to provide every selected authentication method. Exemptions can be made per: Exceptions to sshd_config_AuthenticationMethods_requirements
Problems with SSH keys generally are a permissions issue, or a result of an issue copying/pasting the text of the public key. The private key should have permissions of -r-------- (400) and owned by the user. Problems can arise if there are issues on either the client or the remote host. To troubleshoot the client, run:
ssh -vv username@remotehostThis will result in verbose output from the SSH client and provide insight into where the problem lies.
If there are multiple private keys, force usage of the key that matches that on the remote host:
ssh -i ~/.ssh/id_rsa username@remotehost