Setting Up SSH

What is SSH?

SSH (Secure Shell) is a protocol used to securely connect to remote machines. It allows encrypted data transmission, enabling you to access a remote machine’s shell and execute commands as if you were using the local terminal.

Installing SSH

Before using SSH, ensure that it is installed on both the client (your local machine) and the server (remote machine).

# On Linux or macOS, SSH is typically pre-installed. To check if it's installed, use:
ssh -V

# To install SSH on Ubuntu or Debian-based systems:
sudo apt update
sudo apt install openssh-client openssh-server

# On CentOS or Fedora:
sudo dnf install openssh-clients openssh-server

# On Windows, use the built-in OpenSSH client (available from Windows 10) or download PuTTY.

Enabling SSH Service on Linux (Server-Side)

If you are connecting to a remote Linux server, ensure that the SSH service is enabled and running:

# To start the SSH service (Linux):
sudo systemctl enable ssh
sudo systemctl start ssh

Basic SSH Key Setup

Step 1: Generating an SSH Key Pair

To generate an SSH key pair, run the following command in your terminal:

$ ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

  • The -t option specifies the type of key to create. In this case, we’re using RSA.

  • The -b option defines the number of bits in the key. 4096 is a good length for strong encryption.

  • The -C option is a comment, usually your email address, to label the key.

You will be prompted to choose a file location to save the key (default is ~/.ssh/id_rsa) and optionally enter a passphrase to protect the private key.

Step 2: Adding Your SSH Key to the SSH Agent

After generating the key, you need to add it to the SSH agent, which manages your private keys and passphrases:

$ eval "$(ssh-agent -s)"
$ ssh-add ~/.ssh/id_rsa

This will add your newly created private key to the agent.

Step 3: Adding Your Public Key to the Remote Server

To authenticate to a remote server using SSH, you must add your public key to the ~/.ssh/authorized_keys file on the remote server:

$ ssh-copy-id user@remote-server

This command copies your public key to the remote server and adds it to the authorized_keys file.

Types of SSH Keys and Their Security Levels

Not all SSH keys are created equal. There are several types of keys you can generate depending on the desired level of security and compatibility requirements.

1. RSA (Rivest–Shamir–Adleman)

  • Security Level: High (if using >= 2048 bits, preferably 4096 bits)

  • Key Size: Up to 4096 bits (standard: 2048 bits)

  • Use Cases: RSA is one of the most widely supported and compatible algorithms used in SSH. It’s an asymmetric encryption algorithm and is highly secure when using a large enough key size.

  • Compatibility: Supported by most systems and platforms.

$ ssh-keygen -t rsa -b 4096

  • Recommendation: For most general use cases, RSA with a key size of 4096 bits is highly secure and widely compatible.

2. ECDSA (Elliptic Curve Digital Signature Algorithm)

  • Security Level: Very High (at smaller key sizes compared to RSA)

  • Key Size: 256, 384, or 521 bits

  • Use Cases: ECDSA keys are highly secure and generate smaller keys compared to RSA while maintaining a high security level. This makes ECDSA an attractive option for environments where performance and security are critical.

  • Compatibility: Supported by most modern systems, but may not work on legacy systems.

$ ssh-keygen -t ecdsa -b 521

  • Recommendation: Use ECDSA for high-security environments, especially when smaller key sizes are desired without compromising security.

3. ED25519 (Edwards-Curve Digital Signature Algorithm)

  • Security Level: Very High (smallest key size, fastest, highly secure)

  • Key Size: 256 bits (fixed)

  • Use Cases: ED25519 is a modern, fast, and very secure elliptic curve algorithm. It provides a high level of security with much smaller keys and faster performance compared to RSA or ECDSA.

  • Compatibility: Supported by most modern systems, including OpenSSH. May not be supported on very old or less frequently updated systems.

$ ssh-keygen -t ed25519

  • Recommendation: ED25519 is the best choice for modern, high-performance environments where both security and speed are crucial. Use this algorithm when compatibility with newer systems is guaranteed.

4. DSA (Digital Signature Algorithm)

  • Security Level: Low (not recommended)

  • Key Size: 1024 bits (fixed)

  • Use Cases: DSA was originally supported for SSH key generation, but due to security concerns, its use is deprecated.

  • Compatibility: Not recommended for use in modern environments due to weak security. Modern OpenSSH has deprecated DSA.

$ ssh-keygen -t dsa

  • Recommendation: Avoid using DSA as it is considered insecure by modern standards. Instead, opt for RSA, ECDSA, or ED25519.

Key Comparison and Recommendations

Key Type

Key Size

Security Level

Recommended Use

RSA

2048-4096 bits

High

General use, widely compatible

ECDSA

256-521 bits

Very High

Modern environments, smaller key size for the same security

ED25519

256 bits

Very High

Best performance and security, use if supported

DSA

1024 bits

Low

Deprecated, avoid using

When to Use Each Key Type

  • RSA: If you’re unsure which to use, RSA with a 4096-bit key is a safe and secure default for most systems.

  • ECDSA: Choose ECDSA when compatibility with modern systems is ensured and you want better performance and smaller key sizes compared to RSA.

  • ED25519: If you’re working in a modern environment with no legacy system requirements, ED25519 is the best choice for its speed and security.

  • DSA: Avoid using DSA unless you’re working in a very specific legacy environment that requires it.

Managing Multiple SSH Keys

If you use multiple SSH keys (for example, one for work, one for personal use), you can configure the SSH client to use different keys for different hosts by editing the SSH config file (~/.ssh/config).

Host github.com
  HostName github.com
  User git
  IdentityFile ~/.ssh/id_rsa_github

Host example.com
  HostName example.com
  User user
  IdentityFile ~/.ssh/id_ed25519_example

This configuration allows you to specify which SSH key to use for each host.

Configuring SSH Keys for Gaya

Here is an configuration for gaya.math.unistra.fr:

Host gaya.math.unistra.fr
  HostName gaya.math.unistra.fr
  User your_login_on_gaya
  IdentityFile ~/.ssh/id_rsa
Host gaya
  HostName gaya.math.unistra.fr
  User your_login_on_gaya
  IdentityFile ~/.ssh/id_rsa

Now you can connect to gaya.math.unistra.fr using the gaya alias.

Conclusion

Understanding the different types of SSH keys and their respective security levels allows you to choose the best key for your environment. Whether you opt for RSA for broad compatibility or ED25519 for speed and security, SSH keys are nowadays a critical part of secure, password-less authentication for remote systems.