ssh

Tips and tricks for working with ssh

Create an SSH Key

ED25519 is generally recommended as a better option than RSA 4096

# Create an ED25519 key pair 
ssh-keygen -t ed25519 -f ~/.ssh/new_key 

# Create a 4096-bit RSA key pair
ssh-keygen -t rsa -b 4096 -f ~/.ssh/new_key

# Add this to the above commands to create the key without a passphrase
-N ""

# The command will output two files (private and public key pair)
new_key
new_key.pub

Add an SSH Key to the authorized_keys file

If you have code execution on a system and SSH is configured, you can add your Public SSH key to it and be able to SSH into it with your Private key (provided SSH is enabled)

  • You'll need to add your Public key to the system you want to SSH into and then you can SSH using your Private key

# Add the key to the target authorized_keys file to then ssh into it
ssh-copy-id -i ~/.ssh/new_key.pub user@host

# Another option
echo $(cat ~/.ssh/new_key.pub) >> ~/.ssh/authorized_keys

# The public key should be added to the ~/.ssh/authorized_keys file on the host
cat ~/.ssh/authorized_keys
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJheI2Qn4O8UamoMG8AgWL4YvH2YPtUQUl6ERRczNWZE parallels@kali-linux-2024-2

Generate a Public Key from a Private Key

  • With access to a Private Key, we can generate the corresponding Public Key

  • This is useful if we've lost the key or to get information on the user and system it was generated on

ssh-keygen -y -f ~/.ssh/new_key > ~/.ssh/new_key.pub

Specify a Specific SSH Key to Use

  • If you have multiple SSH keys loaded into your SSH agent and try connecting to a server, sometimes the server will reject the connection because too many keys are being used to authenticate

  • The way around this is to use the parameter -o "IdentitiesOnly=yes" which specifies the exact key to use i.e., any other SSH keys will be ignored

ssh -i ~/.ssh/my_key -o "IdentitiesOnly=yes" user@host

Certificate-based Authentication for SSH

  • Certificates provide more security over passphrases but require a Certificate Authority (CA) to set up

  • Additionally, Certificates have metadata that can be used for user identification, expiring access, role-based access control, and more

Last updated