Talk:SSH keys

From ArchWiki
Revision as of 04:24, 23 March 2011 by Ryeguy146 (talk | contribs) (Minor addition suggested to GnuPG implementation.)
Jump to: navigation, search

Maybe the default 2048 bit rsa key is better?Vogt 01:54, 31 August 2008 (EDT)

I have just completed a tidyup, this including removing the section on connection control as I deemed it irrelivant. If needed, it is available in the history. Thelucster 13:51, 13 April 2009 (EDT)

I'm hesitant to make the edit myself, as I'm new the the whole 'wiki' thing, but I noticed that the Gnupg instructions here seem incomplete. After following them several times myself, I turned to the man pages and found the solution. See below: Ryeguy146 21:19, 22 March 2011 (PDT)


Sometimes the 'ssh-add' is not enough to log in without a password. It is possible that ssh is configured in such way that only a limited group of users is allowed to the machine. In this case - you need root-access to the server! - you have to change the configuration-file. Mostly you can find it as /etc/ssh/sshd_config. If the last line(s) of this file read(s): 'AllowUsers <username>', you will have to add a similar line with your own username. Don't forget to restart the ssh deamon: '/etc/init.d/sshd restart'.

Using pam_ssh module

I just want to add that one could also use the pam_ss module, available here or in the AUR to decrypt the ssh key on login and automatically start ssh-agent and add the keys. This way one would have a truely password less ssh session and in the same way not compromise security by using a passphrase less key.


The current wiki entries tells to "$ echo 'eval `ssh-agent`' >> ~/.bashrc" which will everytime spawn a new ssh-agent. I think a more elegant way is only to add the export commands of ssh-agent to the .bashrc, so one ssh-agent can be used from every shell. This could be put in a small wrapper script:

# check if ssh-agent is running
if [ -n "`ps -e|grep ssh-agent`" ];then
        echo "ssh-agent is already running" >&2
        exit 1
# get new sock and pid
agent=`ssh-agent |head -2`
# delete old sock, pid and comment
sed -i -e "/SSH_\(AUTH_SOCK\|AGENT_PID\)/d" ~/.bashrc
# insert new sock and pid for new shells
echo -e "# auto generated SSH_AUTH_SOCK and SSH_AGENT_PID" >> ~/.bashrc
echo $agent >> ~/.bashrc
# for evaluation in the current shell
echo $agent
$ eval `./` " 

this would make ssh-agent available on the current and all new shells.

Be sure you have added the key to your /etc/ssh/ssh_config:

IdentityFile path/to/key

Alternative to manual key installation

We might want to mention that there's a script called 'ssh-copy-id' which comes with OpenSSH that install your public key in a remote machine's authorized_keys. There's a few caveat with it (it changes permissions of the user home directory, which should be a no-op in most situations; see the man page of ssh-copy-id -- and it also tells the user to make sure the script hasn't added extra keys, which might be a bit confusing for some).


In addition to the /etc/profile.d script described, the man pages for gnupg2 call for the following to be called for each session (edited in accordance with existing instructions):

if [ -f "${HOME}/.gnupg/" ]; then

   . "${HOME}/.gnupg/"
   export GPG_AGENT_INFO
   export SSH_AUTH_SOCK


Prior to adding this to my .zshrc file, caching of the ssh key did not function without exporting the variables manually. Of course, there may be better ways to implement this, and I leave this merely as a suggestion.