44

I am planning to do a fresh install of ubuntu 11.10 in my system. Before that i have setuped key based ssh authentication in this machine. Is it possible to take backup of those ssh keys, so that i can use that in my new installation. Or else i must setup keybased ssh authentication again? If i can take backup, what are the files i need to copy? Can someone explain it in detail pls. Thanks in advance.

Jorge Castro
  • 71,754
karthick87
  • 81,947

3 Answers3

46

Responding to SSH only... yes, you can keep your keys.

I can't think of any topic on which to expound about that, though. It is straight forward: if your username is karthick, then the keys are located in a hidden directory here: 

/home/karthick/.ssh

or

~/.ssh

The id_rsa.pub file contains the public key used to authenticate. But there are other files to keep - all of them, really, such as known_hosts for example. The MOST IMPORTANT is id_rsa (note the lack of .pub) as this is your private key. Back up each user. For example, if you set up SSH for root, get /root/.ssh as well. And so on for as many accounts as you have for this reason.

d-_-b
  • 151
  • 1
    that's why is always a good practice to have in a differente partition the /home directory; just in case you want to do a fresh instalation a d'ont want to loose any thing of your own configuration. – maniat1k Dec 18 '11 at 18:38
  • 5
    This answer is misleading. SSH uses a private/public key pair. The private key is in id_rsa. This is the most import key to backup. – Jan Dec 18 '11 at 19:52
  • 1
    You can recover the public key (id_rsa.pub) from the private key (id_rsa), but not vice versa. The .pub file contains one line which can be put in the servers ~/.ssh/authorized_keys and is not used at all when connecting with the server. – Lekensteyn Dec 18 '11 at 20:50
  • 1
    @maniat1k I generally don't agree that you should have /home on a separate partition for OS, because one of the differences between distributions or dist versions is that config file formats can change, So things can break in unexpected ways. If you want to keep your configuration across OSs I think that you should explicitly do it for specific programs. – quodlibetor Dec 22 '11 at 21:28
  • maybe you are right @quodlibetor but I have the same home sence my ubuntu migrate to opensuse and go back to lubutnu ... and nothing happens... anyway it's a risk... but ubuntu is the same thing all the time ... it's debian.. the configurations are the same.. – maniat1k Dec 24 '11 at 15:19
  • no doubt! it's almost masochistic not to have a separate partition or disk for homes - on a real server at least... how else can we set nosuid,nodev,usrquota,grpquota? Since 93 I only experienced one issue with this: changing ownerships back to match new uids - a simple fix. –  Dec 24 '11 at 15:27
  • 1
    @Lekensteyn Actually the .pub file is sometimes used when connecting to a server. If the secret key is encrypted the .pub file is used to send the public key to the server. If the server rejects the public key there is no need to prompt the user for password. Only if the server accepts the public key will the secret key be decrypted. And if you have many keys in an ssh-agent and want to instruct the ssh client on which of them to use, you can do so by asking it to use a specific .pub file for authentication. – kasperd Apr 17 '15 at 22:55
  • Hi, I'm planning to do a fresh OS intallation like karthick87, but I haven't actually understand the answer. How can I take backups for the keys located in ~/.ssh and /home/user/.ssh? Do I need to backup both private & public key pair? – ltdev May 17 '17 at 20:00
40

Cryptographic keys which you may want to backup.

  • ~/.gnupg/*
  • ~/.pki/nssdb/*
  • ~/.gnome2/keyrings/*
  • ~/.ssh/*
  • /usr/local/apache2/conf/ssl.crt/server.crt
  • /usr/local/apache2/conf/ssl.key/server.key
  • /etc/ssh/*
  • /etc/ssl/private/*
  • /etc/cups/ssl/*
Community
  • 1
Anonymous
  • 11,699
11

Each user has a directoy ~/.ssh, which typically contains the following files:

1) id_dsa             private key of this user (different filename for rsa keys)
1) id_dsa.pub         public key of this user
2) authorized_keys    public key of other users (or same user on other machines)
   config             personal configuration
   known_hosts        host keys of other machines

Additionally, in /etc/ssh/, you will find:

3) ssh_host_dsa_key
3) ssh_host_dsa_key.pub
3) ssh_host_rsa_key
3) ssh_host_rsa_key.pub

Those are the host keys, keys identifying this computer.

You certainly want to backup all private and public keys. We call the machine in question home and the user user@home. Same person has an account user@remote and uses key-based login in both directions. What would happen if you loose any of the key files:

  1. You loose the identity of user@home. ssh user@remote from home will no longer work with key based auth.
  2. user@remote loose the right to login to home with his key. ssh user@home will no longer work from remote with key based auth.
  3. You loose the identity of the host. user@remote will see a warning that host keys have changed when trying ssh user@home. Depending on the configuration this will prevent him from logging in.
Jan
  • 3,598