How to Sign/Verify files with SSH
Introduction
Secure Shell (SSH) is a cryptographic network protocol used to secure data communication. One of the key features of SSH is its ability to use public-key cryptography to authenticate users and secure communication. In this blog post, we will discuss how to sign and verify files using SSH keys.
Signing files
To sign a file with an SSH key, we first need to create a key pair consisting of a private key and a public key. The private key is kept secret and used to sign files, while the public key is shared with others who want to verify the signature.
ssh-keygen -Y sign -f ~/.ssh/id_rsa -n file ${file_to_sign}
~/.ssh/id_rsa
is the path of private key- the default signature name is
${file_to_sign}.sig
Verifying signatures
To verify a file with an SSH key, we need two things: the signed file and the signature file. We also need the public key of the signer.
prepare allowed_signers
with email address
, key type
and public key
.
linux@localhost ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC1IUBsl/582WYfgvER5iuG6lnWWLhRvHz5jjUxOWpTVMNiDvI1eUS5XIE8m1i2PLR1CD4+65yX48q+UT9TXqFVR8N33kuHUkbnNooqUCdYfjKcGD/HqhpjUcleYdzAn6HmVW8R3byEs51wcopQMV5r57F6+EJw7ssrcgc7wvHMjs4+4erW2Nfu9h5MGXww6v3W/ampcVyCMtY568FORNfNQ8Jhan911CQl6zgGiteqI03ccOWaELtn8+QieIMEPaoDMf9n0V9ULPsK6M9RYIXv2o38HiRA2tskdOZ+hWfdMG/zw/TyhITZr1wlsxzNQvQrrRgxkt/6DVdUqL960267QfgaUqe+eGB908mAYBDD14wMI9CZqz7i8oMEOBXG4SJYg9F+5e+va/SLTUo97MkGx3Ng0zoTWNtTQYw+JHWt76QnOBGc3xNsNipceKZo5zzHp7AYxhddOaIniYqLnH9Yb3A5B4Tv9a954fikHLiv97DkUEsk2niePdD8Pb1t5UU=
use the following command to verify.
ssh-keygen -Y verify -f allowed_signers -I linux1@vm2021 -n file -s ${file_to_verify.sig} < ${file_to_verify}
The output if the signature is valid.
Good "file" signature for linux@vm2021 with RSA key SHA256:NmVC1oHNMssv0UfhfCSUKY2UjboQrGI5RwCGK7n0pIU
Conclusion
SSH keys are a powerful tool for securing communication and file transfer. By using public-key cryptography, we can authenticate users and sign files to ensure their integrity. With the SCP command, we can securely transfer files between systems without the need for additional encryption or authentication mechanisms.
Reference
https://www.agwa.name/blog/post/ssh_signatures
Small world. Big idea!
- Welcome to visit the knowledge base of SRE and DevOps!
- License under CC BY-NC 4.0
- No personal information is collected
- Made with Material for MkDocs and generative AI tools
- Copyright issue feedback me#imzye.com, replace # with @
- Get latest SRE news and discuss on Discord Channel