# Protecting Servers with SSH Keys

SSH (Secure Socket Shell) is a secure network protocol that enables remote access to a computer or device over the internet. It uses public-key cryptography to authenticate the user, meaning the user must have a unique pair of SSH keys to access the system. The SSH keys serve as the access credentials and are used in place of a password, making the authentication process more secure.

Because SSH keys provide access to sensitive resources and perform critical tasks, it is essential to manage them securely, just as you would with any other sensitive credential. Mismanagement or compromise of SSH keys can lead to serious security incidents, such as unauthorized access to sensitive information or data breaches.

SSH is widely used in Unix and Linux environments, where it is considered a standard tool for remote access and management. However, it is also supported in Windows systems, providing a secure alternative to traditional remote access methods such as Telnet and Remote Desktop Protocol (RDP).We start this lab by generating rsa keypairs. There are many tools available to help you generate key pairs. In this lab we will start with ssh-keygen. It is available on Linux, Mac and Windows.

In this lab we will generate key pairs and use them to secure logons to a server. This will require that to logon the client system has the matching private key. The server can be configured to require the key and a password, or just the key. This can be useful particularly when establishing machine-to-machine connection where entering passwords would not be feasible.

***note: these examples use the username "cryptolabs". Change this to the account you will be using.***

### Step 1 - Generate a key pair

On the system you will use as a client to connect to the server:
1. make sure that you have a .ssh folder created in you home directory
1. use the ssh-keygen command to generate a public/private key pair (enter the following into a code cell below):<br>
`ssh-keygen -t rsa -b 4096 -a 100000 -f ~/.ssh/id_rsa <<< y`<br>
This will create a key pair using RSA with a 4096-bit key, and save the key pair to the specified path. The -a option specifies the number of rounds to use for the key derivation function (KDF). Higher number of rounds result in slower password verification, but increases resistance to trial-and-error password cracking.


In [2]:
!ssh-keygen -t rsa -b 4096 -a 100000 -f ~/.ssh/id_rsa <<< y

Generating public/private rsa key pair.
ssh_askpass: exec(/usr/bin/ssh-askpass): No such file or directory
ssh_askpass: exec(/usr/bin/ssh-askpass): No such file or directory
Your identification has been saved in /home/parallels/.ssh/id_rsa
Your public key has been saved in /home/parallels/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:Dv5D+Ulw8ZM/BT/BX1T+IcMflSp+vdTfB/nxX+HqtsA parallels@ubuntu-linux-22-04-desktop
The key's randomart image is:
+---[RSA 4096]----+
|              ..*|
|          . . .=o|
|           o =.==|
|        . ..+.+.B|
|      . S+. .o.=+|
|     . oo o. .*+o|
|      ...o E. .=B|
|       .. o ....B|
|        ..  o+. +|
+----[SHA256]-----+


What is the purpose of the fingerprint? How is it created?

The purpose of the fingerprint is to provide a way to verify the identity of a certificate or public key without having to rely on the authenticity of the entire certificate or key. This is important because certificates and keys can be quite large and complex, and it can be difficult to ensure that they have not been tampered with or forged.

A fingerprint is created by applying a hash function to the certificate or key data. A hash function is a mathematical algorithm that takes an input and produces a fixed-size output, known as a hash or digest. The output is a unique and compact representation of the input data that cannot be easily reversed to obtain the original data.

There are various hash functions that can be used to create a fingerprint, such as SHA-256, SHA-1, and MD5. SHA-256 is currently recommended for creating fingerprints as it is more secure and resistant to attacks compared to the other two hash functions.

To create a fingerprint, the hash function is applied to the certificate or key data, and the resulting hash or digest is typically represented as a hexadecimal string of characters. This hexadecimal string is the fingerprint and can be used to compare against the fingerprint of a trusted certificate or key to verify its authenticity and integrity.

Run the ssh-keygen command several times with the same parameters. 

What do you notice about the fingerprint? Why do you think that is happening?

In [3]:
!ssh-keygen -t rsa -b 4096 -a 100000 -f ~/.ssh/id_rsa <<< y

Generating public/private rsa key pair.
/home/parallels/.ssh/id_rsa already exists.
Overwrite (y/n)? ssh_askpass: exec(/usr/bin/ssh-askpass): No such file or directory
ssh_askpass: exec(/usr/bin/ssh-askpass): No such file or directory
Your identification has been saved in /home/parallels/.ssh/id_rsa
Your public key has been saved in /home/parallels/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:5bm4nMwpjTaLXbjShOL1WyJtAd5QmBuQpELz61NT9aY parallels@ubuntu-linux-22-04-desktop
The key's randomart image is:
+---[RSA 4096]----+
| +oo o.  .       |
|..+ +.  . .      |
|o  .oo .  .o     |
|.  .o+.  oo.     |
|   ..+o SEo      |
|  o +.oo . .     |
| . =.+=o+ .      |
|  . o=BO.+       |
|    .o==B        |
+----[SHA256]-----+


In [4]:
!ssh-keygen -t rsa -b 4096 -a 100000 -f ~/.ssh/id_rsa <<< y

Generating public/private rsa key pair.
/home/parallels/.ssh/id_rsa already exists.
Overwrite (y/n)? ssh_askpass: exec(/usr/bin/ssh-askpass): No such file or directory
ssh_askpass: exec(/usr/bin/ssh-askpass): No such file or directory
Your identification has been saved in /home/parallels/.ssh/id_rsa
Your public key has been saved in /home/parallels/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:9/iLR16gVh/TidMiVU1rLsj26+/9AynTR0SGw6sNGMY parallels@ubuntu-linux-22-04-desktop
The key's randomart image is:
+---[RSA 4096]----+
|        .   . +=o|
|         E   =..o|
|        . o . *+.|
|         ..o+==+.|
|        S .**+=+ |
|         .+*o=+. |
|         ..o+oo  |
|           oo ...|
|          ..++oo=|
+----[SHA256]-----+


In [5]:
!ssh-keygen -t rsa -b 4096 -a 100000 -f ~/.ssh/id_rsa <<< y

Generating public/private rsa key pair.
/home/parallels/.ssh/id_rsa already exists.
Overwrite (y/n)? ssh_askpass: exec(/usr/bin/ssh-askpass): No such file or directory
ssh_askpass: exec(/usr/bin/ssh-askpass): No such file or directory
Your identification has been saved in /home/parallels/.ssh/id_rsa
Your public key has been saved in /home/parallels/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:gGP9Lq6JPSXq+VfgMCm0+nZoPF108aeMi7Cs2zXKTHk parallels@ubuntu-linux-22-04-desktop
The key's randomart image is:
+---[RSA 4096]----+
|                 |
|  .  o  .        |
| . .+.o  o       |
|  o.+.oo. . .    |
| . . = oSo o     |
|.   o.+.o o      |
| o =o*Eo..       |
|  OO**oo.        |
| +**X+.          |
+----[SHA256]-----+


The fingerprint is the image version of the hash.
The fingerprint is different every time.
Each hash is different because every time you create a new private and public key, the hash result(s) should be different.
The key's randomart image makes the technical user able to clearly recognize a difference in the hash

#### -- Try Logging In

Open a command shell and try logging on to your server:

`ssh cryptolabs@127.0.0.1`

Notice it asks for a password. You can ^C and not complete the login, or 'exit' if you did.


Connection SUCCESSFUL
Make sure to install openssh-server

sudo apt-get update
sudo apt-get install openssh-server
sudo systemctl start ssh
sudo systemctl enable ssh
sudo systemctl status ssh




### Step 2 - Copy your public SSH key to the server

From the command shell run:

`ssh-copy-id -i '~/.ssh/id_rsa.pub' cryptolabs@127.0.0.1`

### Step 3 - Login to the server

From the <u>command shell</u> run:

`ssh -i ~/.ssh/id_rsa cryptolabs@127.0.0.1 -v`



This should log you in with being prompted for a password.

On the server, there should now be an authorized keys file for the client.

`cat ~/.ssh/authorized_keys`

In [12]:
!cat ~/.ssh/authorized_keys

Copy the authorized keys files in to the cell below.

---


It should be noted that the key format used by ssh-keygen is not the same format as openssl. This can cause interoperbilty problems. However, both offer options to convert key files between formats.

---
### This concludes the lab.

Use File > Save and Export Notebook as... > PDF