Logging into remote systems with SSH implementations is secure by default -- but those connections are secured only in that they use the TLS protocol to encrypt network protocol exchanges. SSH can be made even more secure by using it to authenticate communicating hosts through the exchange of public keys -- keys that are created using the ssh-keygen command.
GUI versions of SSH usually include the same functionality as the command-line versions. For example, the PuTTYgen program is a GUI version of ssh-keygen for use with PuTTY, a GUI implementation of SSH for Windows. However, modern OSes, including Windows 10 and later, Linux and macOS, include command-line versions of the OpenSSH implementation of SSH.
SSH can be used without a prior exchange of public key pairs, and those uses can be reasonably secure. The best approach for securely authenticating SSH sessions, however, is to create a public key pair for the local computer and copy the public key file to the remote SSH server. Only a user with authenticated permission should be able to copy files to the server. If local users do not have sufficient permission, they can request that a system administrator of the remote host copy the files for them.
SSH depends on public key authentication to negotiate a secure connection between an SSH client and an SSH server. SSH is often used to make an ad hoc connection between the client and the remote server without a previously created public key pair, for example, with a command like this:
In this case, the ssh command, issued at the Windows PowerShell command prompt, includes the IP address of the remote server and the -l option, which specifies a valid user account on the remote server. Once the SSH connection is established, users are prompted to enter the password for their user accounts, in this case, the password for user peter.
The best security practice for SSH calls for the user to copy that fingerprint and authenticate it against the public key of the remote server. In practice, this step is often skipped when the user is confident that the remote server is known to be a trusted server. Once the user accepts the authenticity of the remote server, that server and its fingerprint are added to the known hosts file, and subsequent connections can be made directly.
This ad hoc approach can be adequately secure when the user is connecting to a server inside a protected network, but it can be riskier for connecting to other remote servers. This is where ssh-keygen can streamline the exchange of public key authentication.
The ssh-keygen command is a component of most SSH implementations used to generate a public key pair for use when authenticating with a remote server. In the typical use case, users generate a new public key and then copy their public key to the server using SSH and their login credentials for the remote server.
The next step in streamlining the login process is to copy the user's newly generated public key from the user's local system to the remote SSH server. When both systems are running the OpenSSH implementation on a Unix-based OS, including Linux or macOS, the ssh-copy-id command can be used to install an SSH key as an authorized login key. The new public key is then appended to the authorized_keys file, which the SSH implementation running on the remote server checks when a connection is requested from the local computer -- for example:
This compound command uses the PowerShell type command to output the contents of the public key file. The contents are then piped -- using the | symbol -- to a new SSH connection. The final quoted section of this command uses the cat command on the remote server to append the new public key file to the end of the authorized_keys file. This part of the command is necessary to avoid overwriting the authorized_keys file, which would overwrite any existing keys previously added to that file.
Now, the public key resides on the remote server and is stored in the .ssh/authorized_keys file. The next time an SSH connection is attempted from the local computer, the session is initiated without the need to manually enter the user ID and password.
The ability to log in to an SSH server on a remote server without the need to reenter one's password every time may be a convenience, but this is not the primary reason to use a public key for SSH authentication. When SSH connections can be completed without needing the user to enter a passphrase, repetitive actions on the remote server can be accomplished without human intervention -- for example:
Public key authentication with SSH is not sufficient for securing access to sensitive systems. While it may improve security, users and enterprises must take even more care to prevent unauthorized access to the local computers used to access remote SSH servers.
System administrators, network managers and network security professionals who use the same login ID across an enterprise network often need to connect to many different remote servers. For especially large organizations, this type of access can be mediated through the use of SSH key management systems that can distribute public keys to the remote servers, as well as manage assignment of public key pairs to individuals who need them.
In practice, system administrators could manually copy the same public key to all of the servers they need access to. In that case, the sys admin issues the same command to copy the public key for each remote server -- for example:
Network and security professionals may need to use different identities, each of which has different sets of permissions, to access the same remote server. This approach compartmentalizes access and can be useful for different reasons, including the following:
To use the utility, you need only specify the remote host that you would like to connect to and the user account that you have password SSH access to. This is the account to which your public SSH key will be copied.
An SSH key pair can be generated by running the ssh-keygen command, defaulting to 3072-bit RSA (and SHA256) which the ssh-keygen(1) man page says is "generally considered sufficient" and should be compatible with virtually all clients and servers:
ssh-keygen defaults to RSA therefore there is no need to specify it with the -t option. It provides the best compatibility of all algorithms but requires the key size to be larger to provide sufficient security.
Upon issuing the ssh-keygen command, you will be prompted for the desired name and location of your private key. By default, keys are stored in the ~/.ssh/ directory and named according to the type of encryption used. You are advised to accept the default name and location in order for later code examples in this article to work properly.
If the originally chosen SSH key passphrase is undesirable or must be changed, one can use the ssh-keygen command to change the passphrase without changing the actual key. This can also be used to change the password encoding format to the new standard.
Once you have generated a key pair, you will need to copy the public key to the remote server so that it will use SSH key authentication. The public key file shares the same name as the private key except that it is appended with a .pub extension. Note that the private key is not shared and remains on the local machine.
The above example copies the public key (id_ecdsa.pub) to your home directory on the remote server via scp. Do not forget to include the : at the end of the server address. Also note that the name of your public key may differ from the example given.
Using TeamViewer 12 I am finding that once I have connected to a remote system (on the LAN or outside) I do not have left/right click functionality with my mouse (though I can move the cursor) and my connection seems to prevent the remote user from clicking too (they can move the cursor though)
I experience the similar issue. Mouse clicks work for a while after connection established then stop working. Holding Alt and pressing Tab a few times makes them work again (for a while). Except DrWeb - I can call it by clicking on the tray icon but can't do anything there. Both computers are running v12.0.83369. My computer is runnning Windows 8.1 x64, the remote computer is running Windows 7 x64.
Removing the USB mouse on the remote computer is not an option for me. Any other solutions other than a reboot? A reboot does fix the problem but only for a limited number of connections. I also am using Version 13 with the latest updates on both local and remote.
When during remote session cursor reaches left side of the screen InputDirector moves cursor to "slave" computer, but TeamViewer is not aware of that, it shows cursor as if never left the screen, so any clicks and keyboard presses are actually being routed to the "slave" computer instead.
Mause not functioning because of interference with the mause on a remote PC. In windows 10 press the Win key and type "device maneger". Go to mice and other pointing devices and disable mause on remote PC. Congrets! your problem solved.
An alternative approach if you have access to the host keys for the remote system is to add them to your known_hosts file in advance, so that SSH knows about them and won't ask the question. If this is possible, it's better from a security point of view. After all, the warning might be right and you really might be subject to a man-in-the-middle attack.
You could easily write an wrapper to translate touchid calls into ssh and back again. Even further translate a ~ possible match into a range sequence (think close but incomplete painting) - no magic there. I used the camera for that before when touchid seemed like a tricorder feature from star trek :-)
Seems like a good idea to use the feat. even when everybody will tell you of gazillions possible security risks that are, well, possible (like a lot of other things). You will need a dev account though (99$/year...), since self-signed apps cant access all macOS SDKs functionalities, touchID is (possibly) not accessible without signing. 2b1af7f3a8