Difference between revisions of "SSH keys"

From ArchWiki
Jump to navigation Jump to search
m (i18n links added)
Line 2: Line 2:
[[Category:Security (English)]]
[[Category:Security (English)]]
[[Category:Tutorials (English)]]
[[Category:Tutorials (English)]]
===Using SSH-keys to connect to a server===
===Using SSH-keys to connect to a server===
====Why use those keys?====
====Why use those keys?====

Revision as of 10:06, 10 March 2007

Template:I18n links start Template:I18n entry Template:I18n entry Template:I18n links end

Using SSH-keys to connect to a server

Why use those keys?

Using ssh-keys, a public and a private key to be precise, is an easy way to connect to a server/a whole bunch of servers, using the same password OR using no password at all. You should prefer the password/ssh-agent combination!

First step - generating the keys

mith@middleearth||[[~]]:~ > ssh-keygen -b 2048 -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/mith/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/mith/.ssh/id_dsa.
Your public key has been saved in /home/mith/.ssh/id_dsa.pub.
The key fingerprint is:
x6:68:xx:93:98:8x:87:95:7x:2x:4x:x9:81:xx:56:94 mith@middleearth
mith@middleearth||[[~]]:~ >

What did we do? We generated a 2048 bit long (-b 2048) public/private dsa (-t dsa) key pair with the ssh-keygen command. You can also create a rsa key (-t rsa). You can leave out the bit length parameter (default bit length is 1024).
In case you don't like the standard key name you can specify a name using the -f name parameter.
In the process you are asked for a place to save your keys. I kept the standard path. Then you are asked for a passphrase.
Now there are two paths which you can follow or "Choose your destiny" (as the guy from Mortal Kombat would say):
a) the short, easy but insecure way: use no passphrase, have easy access to your remote-server, feel paranoid about someone stealing your private key
b) the a bit longer, slightly less comfortable but secure way: use a passphrase, use ssh-agent and feel safe

step 2 copying your public key to the remote server {SAME for path A and B}

mith@middleearth||[[~]]:~ > scp .ssh/id_dsa.pub mith@metawire.org:

Copy the public key (id_dsa.pub) to your remote server via scp (note the : at the end of the server adress. That way the file actually ends up in our server home directory but you can specify another path if you like.

step 3 - login to the remote computer and put your key into the right place {SAME for path A and B}

mith@middleearth||[[~]]:~ > ssh metawire.org
mith@metawire.org's password:
-bash-2.05b$ mkdir .ssh/
-bash-2.05b$ cat id_dsa.pub >> .ssh/authorized_keys
-bash-2.05b$ rm id_dsa.pub
-bash-2.05b$ chmod 700 .ssh
-bash-2.05b$ chmod 600 .ssh/authorized_keys

We connect to our remote server and use cat to add the content of id_dsa.pub to authorized_keys which is in the hidden directory .ssh. NOTE: In case you get an error because the .ssh directory doesn't exist you should simply create it (mkdir .ssh).
Now we remove the public key (rm id_dsa.pub) and set the correct permissions for .ssh and authorized_keys.
Log out and re-login. Depending on the path you chose, you will/won't be asked for a passphrase. Path a ends here...

...path b continues...

Now what makes this path almost as easy as a no-passphrase key? The magic word is ssh-agent.. What it does is basically asking you once every session for the passphrase of your private key and every time you would have to type it in, ssh-agent does it for you. ssh-agent is included in the openssh package so no trouble there...

mith@middleearth||[[~]]:~ > ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-vEGjCM2147/agent.2147; export SSH_AUTH_SOCK;
echo Agent pid 2148;

When you run ssh-agent it will print out what environment variables it would use... Well to make ssh-agent use these variables run

mith@middleearth||[[~]]:~ > eval `ssh-agent`
Agent pid 2157

The process id will vary for you of course. Adding eval `ssh-agent` to your .bashrc is an option so it's started every time you create a new shell.
Now that the ssh-agent is running, we need to tell it that we have a private key and where that is.

mith@middleearth||[[~]]:~ > ssh-add .ssh/id_dsa
Enter passphrase for .ssh/id_dsa:
Identity added: .ssh/id_dsa (.ssh/id_dsa)

We were asked for our passphrase, entered it, that's all. Now you can login to your remote server without having to enter your password while your private key is password-protected. Sweet isn't it? The only downside is that a new instance of ssh-agent needs to be created for every new console (shell) you open, that means you have to run ssh-add every time again on each console. There is a workaround to that with a program or rather a script called keychain which will be covered in the next part {...work in progress}.

Using keychain

Keychain manages one or more specified private keys. Once started it will ask your for the passphrase for that/each private key and stores it. That way your private key is password protected but you won't have to enter your password over and over again.

Get the package and install it.
Edit your ~/.bashrc and add the following lines:

/usr/bin/keychain ~/.ssh/id_dsa
[[ -f $HOME/.keychain/$HOSTNAME-sh ]] && source $HOME/.keychain/$HOSTNAME-sh

I am aware that not everyone is using bash. Run keychain --help and it will tell you how to set it up for other shells.
Close your shell and open it again. Keychain should come up and if it's your first run it will ask your for the passphrase of the specified private key.

Useful links / information