Cybersecurity
Updated 19 days ago | GitHub

SSH Keys

SSH keys provide authentication using Public-Key Cryptography to identify trusted computers without involving passwords.

SSH keys must be configured. First, the user generates a pair of encrypted keys—a public key and a private key. The user stores the public key on the remote server and keeps the private key on their computer.

When the user attempts to log in to the remote server, the SSH client and server first establish an encrypted transport channel. To prove possession of the private key, the client constructs a digital signature over the session identifier and the authentication request and sends that signature to the server. The server verifies the signature using the trusted public key it has on file. (RFC 4252 § 7)

The remote server authorizes the user’s computer because only the holder of the matching private key could have produced a signature that verifies against the public key. So instead of using a password, authorization becomes: (1) the presence of the public key on the remote server, (2) the presence of a matching private key on the user’s computer.

Advantages

The primary advantage is that SSH keys only allow access from previously “blessed” computers. No login password is needed, so there is no password to steal. In fact, it is possible to disable password logins to a server completely and only allow access with SSH keys. Of course, the private key becomes vulnerable, but it is much harder to steal than a simple password. In addition, the private key should be password protected.

Another advantage is that many servers can be given the same public key. There is no risk in having one the public keys exposed. They are meant to be public.

SSH keys are great for admins and developers who may frequently connect to servers via SSH or SFTP. Git and GitHub both use SSH keys to push code to code repositories.

Disadvantages

The primary advantage of SSH keys can also be a disadvantage. They only allow access from “blessed” computers. A server administrator who is away from their computer cannot simply use a different computer with a username and password to get access. They would need to have password logins configured as well.

SSH keys are only usable for SSH connections (and SSH-tunneled protocols such as SFTP and SCP). SSH itself runs over TCP and is not used for website logins, so SSH keys offer little benefit to regular users.