Welcome to my site,
SSH (stands for Secure Shell) is a network protocol that encrypts a connection between two machines even over insecure networks and it is well known among Linux / Unix users.
You would either login using your user password (unpreferred) or authenticate using public / private key pair (preferred method).
So how the public / private key pair method work?
Because cryptography is complex I will only explain this method very briefly.
- There’s a tool that will create two random keys that are mathematically correlated (has a mathematical relationship in other words) – this is to be done on your local machine
- The Public key: this is a key where you should place in every server / machine that you would like to connect to securely using SSH (it’s fine if the key goes public)
- The Private key: is the secret key that you should not exchange with others and it will resides only on your private machines
STILL NOT CONVINCED!!! WE’RE NOT FINISHED …
- The magic is that the relationship between the two keys let the private key decrypt any message that were encrypted by the public key
- Now refer to the below illustration image while going through the next points
- So your PC will ask the server for a login
- The Server will send an encrypted message (using the public key of course) and no one except you (who have the private key) should be able to decrypt it and send it back to the server as a proof that you are the authorized person to login
- BOOM!! You are in the terminal (connected to the server) without a password.
Image Source: digitalocean.com
Thinks it’s insecure because you are not providing a password?!
- Well the keys are more lengthy than what your password will be (take time to break if private key is stolen and you can change to new pair)
- plus the magical relationship helps achieving the secured connection given that your private key will remain secret (the public key is ok to travel to your server over the internet even if someone try to eavesdrop)
What if my keys are stolen?
- First, the private key can be protected using any passphrase (can be different from your login password) so that if stolen, it will buy you sometime to change to a new pair again before the hacker can decrypt your private key.
- Clean your server and local machine(s) from the existing keys
- Switch to a new pair of keys and repeat the process
If something I said is not accurate, please let me know so that I verify and correct it.