This is a continuation of the previous guide - SSH Secure Shell that explains the basics of SSH. Please read the guide if you haven't already, before continuing further.
What is an SSH key ?
SSH keys serve as a means of identifying yourself to an SSH server using public-key cryptography and challenge-response authentication.
An SSH key comprises of two separate keys -
- A public key - which you can share freely with any SSH server, and
- A private key - which should be known only to you, and kept secret.
Advantages of using SSH keys
The following are some of the advantages of using SSH keys over traditional password authentication.
- Your password is never sent over the network.
- Eliminates the risk posed by brute-force password attacks.
- More convenience - You can connect to a server, or multiple servers, without having to remember or enter your password for each system.
How to generate an SSH key
To generate an SSH key pair in Linux, you use the
ssh-keygen
tool.ssh-keygen
generates, manages and converts authentication keys for ssh.
Syntax -
$ ssh-keygen -t <type>
-t
option specifies the type of encryption to use while creating the key pair. The possible values are "rsa1" for protocol version 1, and "dsa", "ecdsa", or "rsa" for protocol version 2.DSA - 1024 bit algorithm
RSA - 2048-4096 bit algorithm
ECDSA - stands for Elliptic Curve Digital Signature Algorithm that provides smaller key sizes and faster operations when compared to other algorithms.
For example, to create an SSH key that uses DSA, do the following -
$ ssh-keygen -t dsa
The program will ask you to (optionally) enter a password phrase. You can just press the ENTER key if you do not want to set the password phrase. However, if you decide otherwise, your private key will be encrypted using the string you entered as your password phrase.
Next the tool will generate two keys - id_dsa and id_dsa.pub which will be saved beneath your HOME directory at the location
~/.ssh
. id_dsa is the private key, and
id_dsa.pub is the public key.
There are lots of other options for the ssh-keygen
tool. For the full list of options, see its man page.
If you have set a password phrase, it must be entered every time you attempt to connect to an SSH server using public-key authentication.
SSH Agent
You can use an SSH Agent to remember your password phrase.
An SSH Agent is a program used to hold private keys used for public key authentication (RSA, DSA, ECDSA).
ssh-agent
tool is the default SSH Agent in OpenSSH.Using an SSH Agent to remember the password phrase is a 2 step process.
Step 1 : Start running SSH Agent in the background.
The idea is that ssh-agent is started in the beginning of an X-session or a login session, and all other windows or programs are started as clients to the ssh-agent program.
For now, lets start ssh-agent explicitly from the command line.
$ ssh-agent
Step 2 : Add your private key to its cache.
This is done using another tool called
ssh-add
.$ ssh-add ~/.ssh/id_dsa Enter passphrase for /home/ravi/.ssh/id_dsa: Identity added: /home/ravi/.ssh/id_dsa (/home/ravi/.ssh/id_dsa)
ssh-add prompts you to enter the passphrase for your private key. Once you enter the correct passphrase, it adds the key to the cache of the SSH Agent running in the background.
From now on, you won't have to enter the passphrase for your private SSH key when you decide to login to a remote computer.
An SSH Key Example
How to use SSH without a password
Each time you use
ssh
or any related tools such as scp
, you are prompted for a password to the remote machine. If you use SSH often enough, typing the password can be tedious. However, if you are using SSH keys, you can do away with entering or remembering the passwords.
Here is one way of doing it.
Step 1: Create a private-public SSH key pair
$ ssh-keygen -t dsa
and following is output of the command on my machine -
Generating public/private dsa key pair. Enter file in which to save the key (/home/ravi/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/ravi/.ssh/id_dsa. Your public key has been saved in /home/ravi/.ssh/id_dsa.pub. The key fingerprint is: 2c:fc:84:60:87:2b:98:ab:f1:c0:ee:9c:55:b6:b2:b7 ravi@ubuntu-desktop The key's randomart image is: +--[ DSA 1024]----+ | | | . | | + . | | o . = o | |o . .++ S | |.. .o .+ | |+. + . . | |++o o. | |o=...E. | +-----------------+
What it does
ssh-keygen
will prompt you to enter a passphrase which should be left blank. Next, it will generate two files named - id_dsa and id_dsa.pub.
The files will be saved (by default) in the
.ssh
directory in your home folder. $ ls ~/.ssh id_dsa id_dsa.pub known_hosts
Step 2: Copy the SSH public key to the remote machine
Copy the 'id_dsa.pub' file to the .ssh/ directory in your remote machine.
Remote machine hostname - xyz.com
Remote machine username - ravi
$ scp ~/.ssh/id_dsa.pub ravi@xyz.com:~/.ssh/.
Step 3: Authorize the SSH server to use the public keys
SSH to your remote machine and copy the contents of the 'id_dsa.pub' file to 'authorized_keys' file in the same folder.
If there is no such file in your remote machine, you will have to create it.
$ ssh ravi@xyz.com ... ravi@xyz.com [~]$ cd .ssh ravi@xyz.com [~/.ssh]$ cat id_dsa.pub >> authorized_keys
From here on, you won't need any passwords to login to the remote machine xyz.com from your local machine.
References for further reading
SSH Keys @ wiki.archlinux.org
OpenSSH key management @ IBM Developerworks - Part 1, Part 2, and Part 3.
6 comments:
Your article got me thinking... you could extend this to synch up home directories on various machines, or remote backups automatically (and securely) Great article.
Very good and clear written article. Have added a link from my blog: /udev/random/source to yours
Hiro, look up rsync, its a took designed for syncing directorys across several machines - and can use ssh/sftp as the method for doing this.
Agreed very useful article.
from http://artax.karlin.mff.cuni.cz/~kaspj0am/?file=howIdid.m2
save frequently visited SSH sites in SSH Shortcuts like so:
In "~/.ssh/config" I added following lines
Host shortcut
User my_username
HostName real_host_name
And then I can simply log in via
ssh shortcut
One minor issue. This command is really not quit what you want:
$ scp ~/.ssh/id_rsa.pub remote_mc:.ssh/authorized_keys
because it will replace the authorized_keys on the remote machine with your new machines public key. Using that command, you can only have one machine at a time from which you could log in without a password. The authorized_keys file can have multiple keys in it. What probably should be done if the file exists, is the id_rsa.pub file should be appended to the end of the file. So maybe:
$ scp ~/.ssh/id_rsa.pub remote_mc:id_rsa.pub
$ ssh remote_mc "cat id_rsa.pub >> .ssh/authorized_keys; rm id_rsa.pub"
That will allow you to have any number of authorized machines you can log in from.
The best way to do this:
$ scp ~/.ssh/id_rsa.pub remote_mc:id_rsa.pub
$ ssh remote_mc "cat id_rsa.pub >> .ssh/authorized_keys; rm id_rsa.pub"
is
$ ssh-copy-id - i ~/.ssh/id_rsa.pub remote_mc
Post a Comment