inside the mind of a linux admin

setup ssh keys


If you are going to connect to a remote host computer using public-key authentication, you will have to generate your key pair before connecting.

Public-key authentication is based on the use of digital signatures. Each user creates a pair of ‘key’ files. One of these key files is the user’s public key, and the other is the user’s private key. The server knows the user’s public key, and only the user has the private key.

When the user tries to authenticate herself, the server checks for matching public keys and sends a challenge to the user end. The user is authenticated by signing the challenge using her private key.

Remember that your private key file is used to authenticate you. Never expose your private keys. If anyone else can access your private key file, they can attempt to login to the remote host computer as you, and claim to be you. Therefore it is extremely important that you keep your private key file in a secure place and make sure that no one else has access to it.

Do not use public-key authentication on a computer that is shared with other users. Generate keys only on your personal computer that no one else can access!

So lets get started, lets say you want to be able to ssh as your user “dude” to remote.com without passwords getting in your way…

$ ssh dude@remote.com

and ssh will ask if you want to keep connecting, type “yes”, and then it should ask for your password and open a shell in dude’s home directory on remote.com, just like telnet. If this fails, there is a problem somewhere. Make sure ssh is installed on your end, and also make sure that remote.com is accepting ssh connections. If it’s not, you’re wasting your time.
Once ssh is functioning we will set up the keys so that it will no longer be necessary to send passwords. If you are curious about the theory of this then read up on “public key cryptography”.

Create your keys: You need to create private and public ssh keys and put them in the proper place with the proper permissions. In your home directory create a folder .ssh ($ mkdir .ssh), if there is none. Note that Windows may make it difficult for you to create a file starting with “.” if you try to do it with their tools; e.g. Windows Explorer. Next, create the keys with the command

$ ssh-keygen -t dsa

The ssh-keygen program will ask for a passphrase, just hit the “Enter” key unless for some reason you know you want a passphrase. This creates the keys id_dsa and id_dsa.pub and puts them in .ssh/. The private key id_dsa must be readable only by you; change its permissions with

$ chmod 600 .ssh/id_dsa

Put the public key on the remote computer: In this section we are assuming the remote computer is also running OpenSSH. Somehow, you must get the .ssh/id_dsa.pub key onto the remote computer, whether by email, ftp, carrying it over on a floppy (sneakernet), etc.; the cool way to do it is to use scp, which was installed along with ssh. Suppose the remote computer is named remote.com, and your account there is “dude”. To copy the file to remote, run

$ scp .ssh/id_dsa.pub dude@remote.com:

Don’t forget the trailing colon. You will be asked for dude’s password on remote before the copying commences. The file will be copied to dude’s home directory on remote.
Install the public key on the remote computer: (We assume the remote computer is running OpenSSH on Linux or UNIX!) Once id_dsa.pub is on the remote computer, login into the remote computer (you can use ssh to login with your password as described above). From your home directory (where you should see your newly arrived id_dsa.pub) create a .ssh folder if none exists. Then append your id_dsa.pub to a file in .ssh with

$ cat id_dsa.pub >> .ssh/authorized_keys

This will create the file authorized_keys if none exists. The id_dsa.pub key may be removed from the remote computer’s home directory, if you like. The .ssh folder on the remote computer must have the correct permissions, you may set them with

$ chmod 700 .ssh

Checking the password-less connection: Now the command

$ ssh dude@remote.com

should give you a password-less connection to remote.com. Likewise, scp should be password-free.

By the way, all the commands you do by first logging into the remote computer can be done remotely, one at a time, using ssh. For example, you can run run

“$ ssh dude@remote.com ls”

and get a listing of your home directory files on the remote system.

1 Comment

  • Christopher Barry on Monday, May 13, 2013

    Instead of scp-ing and appending your key, simply use the ssh-copy-id command that comes with the ssh distribution – it automates the entire procedure.

    Cheers,
    -C

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.