SSH key

Jump to: navigation, search

What is a SSH key?

SSH keys are used for secure connections across a network. They come in pairs, so you have a public key and a private key.

The standard ssh2 file format (see http://www.openssh.org/txt/draft-ietf-secsh-publickeyfile-02.txt) looks like this:

---- BEGIN SSH2 PUBLIC KEY ----
Comment: "jtbell@Jon-Bells-Computer"
AAAAB3NzaC1kc3MAAACBAPNgmidbM2rhYjUXunpnlXjHWfV+vc8/5YKrn8Y5P0Y6KwmG2G
GMgNBon3LX3iJlBhtuU3FCBj3G1Kdt5vUhQHhUmHVrOasi47vawTrv7ZJCfiaSGwRsiBHt
Jta5CAp7t0EnzX2q6BvPbFBBHNLyy6uNVpL2jOR06Pkx/vaqyScvAAAAFQDHvwmjWYwK9g
K6Sp+pSvI7bwEUtwAAAIANMJDotMpfj89N+7+FJylSS+uFEQSS61PxENl/Mcj1jUREjJg2
eNsJdAB9Ev99hWYS+7lFRtTJ2eh4Y9gpGe7BX3e2YGHOqp8cWCVCIKaMzwk9To+xnfThWq
IfHT8I6CJxp/5ez02m6F2k/5iukvOwbGms6EAZK1DTBhDOHjEQwQAAAIAlz2/qBWkaMP+s
W8FLmGKM+cCw5+asOaJGTwrFVuwJkDMvdEWxmG92A2dxuUske0d/AkN6zJp7HD0wlfesRM
3+c+Res5qun9lFcdM4i03VoV5mXd+T7laS8yku6vZgvZZFnPvr2LOUnc7XThGFwMaQpFEW
U8cvQbttO6QrT2CD2w==
---- END SSH2 PUBLIC KEY ----

However, Moodle uses OpenSSH on its server and this key will not work with the OpenSSH server in this format; OpenSSH requires the key to be in OpenSSH format. Here is an example of a DSA public key in OpenSSH format (usually they are all in one line):

ssh-dss AAAAB3NzaC1kc3MAAACBAJ3hB5SAF6mBXPlZlRoJEZi0KSIN+NU2iGiaXZXi9CDrgVxTp6/
sc56UcYCp4qjfrZ2G3+6PWbxYso4P4YyUC+61RU5KPy4EcTJske3O+aNvec/20cW7PT3TvH1+sxwGry
mD50kTiXDgo5nXdqFvibgM61WW2DGTKlEUsZys0njRAAAAFQDs7ukaTGJlZdeznwFUAttTH9LrwwAAA
IAMm4sLCdvvBx9WPkvWDX0OIXSteCYckiQxesOfPvz26FfYxuTG/2dljDlalC+kYG05C1NEcmZWSNES
GBGfccSYSfI3Y5ahSVUhOC2LMO3JNjVyYUnOM/iyhzrnRfQoWO9GFMaugq0jBMlhZA4UO26yJqJ+BtX
IyItaEEJdc/ghIwAAAIBFeCZynstlbBjP648+mDKIvzNSS+JYr5klGxS3q8A56NPcYhDMxGn7h1DKbb
2AV4pO6y+6hDrWo3UT4dLVuzK01trwp PYp6JXTSZZ12ZaXNPz7sX9/z6pzMqhX4UEfjVsLcuF+ZS6a
QCPO0ZZEa1z+EEIZSD/ykLQsDwPxGjPBqw== someone@somewhere.com

In addition to OpenSSH and Standard SSH formats there are a variety of proprietary formats as well as SSH1 and SSH2 differences to account for, which can make this confusing.

In the example above you will note that the key starts with "ssh-dss". This is because this key was generated using DSA as opposed to RSA. A number of vendors in the SSH arena have argued, as per the PuTTY documentation that can be found at http://the.earth.li/~sgtatham/putty/0.55/htmldoc/Chapter8.html#S8.2.10 that users should employ RSA encryption because

DSA has an intrinsic weakness which makes it very easy to create a signature
which contains enough information to give away the private key! This would 
allow an attacker to pretend to be you for any number of future sessions. 

An SSH2 public key in OpenSSH format will start with "ssh-rsa".

The idea behind all of this is that once you have keys on the remote server and your local host, access will be simpler since the server will only grant access to someone who has the matching private key.

Why do I need a SSH key?

Our CVS server uses OpenSSH, so if you are a Moodle developer and you want to make your logins easier (by avoiding typing in your password all the time) then you will need to submit public key in Openssh format via the "Update my developer information" tab at http://moodle.org/cvs.

How do I create a SSH key pair?

Eclipse

If you plan to use Eclipse for development, please refer to the Eclipse document https://docs.moodle.org/en/Eclipse as Eclipse now has a plugin that allows you to manage all ssh key matters from within Eclipse.

Unix/Linux

You can use ssh-keygen at your system prompt. Please consult the man page on your system for the options available to you.

  1. Run: ssh-keygen -t (rsa or dsa). This will not include a passphrase. *
  2. Use of rsa or dsa above will result in rsa or dsa replacing each XXX below.
  3. Look in your ~/.ssh directory (or wherever you saved the output). You'll find id_XXX (private) and id_XXX.pub (public).
  4. Cut and paste the contents of id_XXX.pub into your developer profile on http://moodle.org/cvs
  5. Put the private key wherever you will be calling CVS from (in your .ssh directory, for example). Make sure it's secure!
  • This section initially recommended using ssh-keygen -d but it is unclear what the source of this -d option might be.

Windows

Use puttygen and follow the instructions here. Make sure you choose the RSA2 key format and that when you copy the key data into the textbox on the site, that you have all of the characters on one line. If you have opened the key with word pad, it will have line breaks in it which will stop it from working.

The box should look like this:

ssh-rsa
AAAAWfg&jkf4D34H5@4svf..... (single very long line continues beyond edge of textbox)

Mac OS X

If you have an existing key in Putty format, open it in puttygen on windows and then choose conversions and export as openssh format. You can then import the key into OS X using

 ssh-add -K filename

The -K flag is optional and stores your passphrase in the keychain ssh-add documentation