There are several scenarios where you might need SSH keys. Some very prominent use-cases a developer might encounter:
- Remote access to a server with SSH
- Git(Hub) deploy key to grant access to a single repository
- Signing files
In the following example we will generate an RSA key with the
RSA (Rivest–Shamir–Adleman) - a very common crypto system. Since the public key is used for encryption and the private key for decryption it’s a so call asymmetric encryption.
Please see the post Using AES with OpenSSL to Encrypt Files for a sample of symmetric encryption.
$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/Users/devop/.ssh/id_rsa): sample_id_rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in sample_id_rsa. Your public key has been saved in sample_id_rsa.pub. The key fingerprint is: SHA256:nT1o2jRiziTVJQM70ySkfB5evSr1wrtoZeWNah45n+M firstname.lastname@example.org The key's randomart image is: +---[RSA 2048]----+ | .+.+ . | | . . * = | | o B + . | | = * +.. | | . S Oo+o | | * Oo=o.. | | =oO.. | | .oo*.. | | ..o+oE. | +----[SHA256]-----+
Two new files appeared in the working directory:
-rw------- 1 devop wheel 1675 Nov 29 10:33 sample_id_rsa -rw------- 1 devop wheel 406 Nov 29 10:33 sample_id_rsa.pub
You can easily spot the public key which has the additional
.pub in the filename.
A private key usually looks like:
-----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEA4BldLWoDCTE8vn6JQgmpmYBja7VZrcqtpZ65qNpes98rOO2b … 10D7RStVIHlZgziP46cVLNtBw99+6F0TewQsRnxnJvHxLOaop/AU -----END RSA PRIVATE KEY-----
and the public key:
ssh-rsa AAAAB3NzaC1yc2EA…MiWKVIj9Tj email@example.com
Note: You can also check SSH keys with the
$ file sample_id_rsa.pub sample_id_rsa.pub: OpenSSH RSA public key
Add the public key
id_planets_rsa.pub to the server's
.ssh directory and you can access the remote server without entering a password:
$ ssh -i ~/.ssh/id_planets_rsa planets@cloud-provider
Allow your continuous integration pipeline to access a (private) repository via deploy keys. Give the public key to your Git provider (e.g. GitHub) and use the corresponding private key to allow your Jenkins to clone the repository.
Note: In such a scenario you’ll have to generate a SSH key without a passphrase.
Given you want to verify the digest of file
message.txt that has been signed with a private key. Additionally the signed digest is base64 encoded.
First you need to decode the base64 encoded digest:
$ openssl enc -base64 -A -d -in message.txt.sig.base64 > message.txt.sig
With the digest decoded you can verify the file with the public key (in PKCS #8 format):
$ openssl dgst -sha256 -verify sample_id_rsa.pub.pem -signature message.txt.sig message.txt Verified OK
If everything is in place you’ll get a
Converting to PKCS #1 and PKCS #8
On first sight both keys look the same.
On second sight you can spot the difference: An additional
RSA in the enclosing comment.
$ ssh-keygen -f sample_id_rsa.pub -e -m pem -----BEGIN RSA PUBLIC KEY----- MIIBCgKCAQEA4BldLWoDCTE8vn6JQgmpmYBja7VZrcqtpZ65qNpes98rOO2bS54t LgJ5Pldl4xRvGgIyXlogyML0RlGHNvSswHaN5rQFbJQVDreF0d+1fvuEIqeSqHlk … i0MC6ePFMHY+wAImdturG8lg37VMxBGwOti/c5Da8Dm9NFV1oVs+fVlEfuACL+2w o5C4Vr9/C3NhfHU1+N6JqDAjIlilSI/U4wIDAQAB -----END RSA PUBLIC KEY-----
ssh-keygen -f sample_id_rsa.pub -e -m pkcs8 -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4BldLWoDCTE8vn6JQgmp mYBja7VZrcqtpZ65qNpes98rOO2bS54tLgJ5Pldl4xRvGgIyXlogyML0RlGHNvSs … y6ZjAfyeZaA2kG8wgE1z5O+DJc36Hnl3i0MC6ePFMHY+wAImdturG8lg37VMxBGw Oti/c5Da8Dm9NFV1oVs+fVlEfuACL+2wo5C4Vr9/C3NhfHU1+N6JqDAjIlilSI/U 4wIDAQAB -----END PUBLIC KEY-----
Another interesting side-note: You can always extract the public key from your private key:
$ openssl rsa -in sample_id_rsa -pubout -out sample_id_rsa.pub.pkcs8 writing RSA key
This will give you the public key in
PKCS #8 format.