Sunday, January 23, 2011

Setting up public key authentication for SSH

If you're like me, you remote into a handful of servers using SSH all the time. The process is fairly simple:

  1. Get to a terminal
  2. ssh username@hostname
  3. Type password
  4. Get to work

No, it's not terribly difficult, but when you have to type that password fifty times per day, you begin to realize that it's time-consuming and repetitive. And there happens to be a way to eliminate that step from the process.

The SSH protocol supports authentication by public keys, and setting this up is a trivial matter. The configuration process goes something like this:

  1. Generate a key for your client system
  2. Put it on the server

One prerequisite: your SSH server must have public key authentication enabled. This is usually the case by default, but if you want to check, you can look in your /etc/ssh/sshd_config file. Try this:

grep 'PubkeyAuth' /etc/ssh/sshd_config

If the output is

PubkeyAuthentication yes

then you're safe to continue. Otherwise, you'll have to make the change in that file and restart the SSH server. There are a few ways to accomplish this, and I won't go into them here because it's not the point.

The point is that once this is ready, you can create your RSA key on the client machine. This is the first step toward getting this done. On the client machine, run

ssh-keygen -t rsa

You'll be asked for a filename. Just press enter to accept the default, which is probably ~/.ssh/id_rsa

You'll also be asked for a passphrase. You can use this optionally. If the point is to eliminate having to enter a password with every SSH connection, it's best to supply no passphrase. You'll also be asked to confirm it.

When done, you'll get a printout of your fingerprint and you'll return to a prompt.

Now we need to check this file's permissions. We don't want any other users to be able to read this pubkey file lest they compromise your authentication.

chmod 600 ~/.ssh/id_rsa.pub

EDIT: Commentor FKereki rightly points out a simpler and better way to accomplish the publication of your public key to your server. You can (and should) run:

ssh-copy-id username@hostname

This command makes sure that the pubkey is added to the appropriate file, and it makes sure nothing gets lost. This is the best possible way to accomplish this task if the command is available to you. However, should you be working in a system where this isn't available (such as a Solaris environment), you can use the following steps to make things work.

Copy your public key to the server as a specific filename.

scp ~/.ssh/id_rsa.pub username@server:~/.ssh/authorized_keys

Make sure the authorized_keys file has the same permissions so it won't be compromised.

The next time you log in from this client machine, you won't be asked for your password.

5 comments:

  1. Rather than copying the public key file with scp, it's better to use "ssh-copy-id", which takes care of everything -- even of picking the correct authorized_keys OR authorized_keys2 destination file (though the latter is deprecated by now).

    ReplyDelete
  2. Of course, the most common idea is Valentine's Day flowers and thomas sabo jewellery . This is the standard and not by the time the oldest, but as a gift an thomas sabo australia , you will get extra show you the relatives and. So you can buy these in advance or discount flower delivery system, so you can focus your efforts more Valentine's ideas, to ensure that your day is good thomas sabo jewellery box , your dog away from home in memory of love.

    Some great ideas for Valentine's Day is a committed husband and wife sexy thomas sabo jewellery australia and good things to eat in the evening to kill your day on the right note. For others, you may want to insist on less inappropriate Valentine's ideas, such as thomas sabo australia prices and thomas sabo australia online shop gift. A region can not go wrong, the idea of Valentine's bathing suit, because everyone likes the smell of fresh and clean bathroom and an indulgence that most women are not taken seriously. Similarly, you can also consider personal bathrobe to the bathroom, as well as your other ideas for your loved ones, it makes you feel like you love cheap thomas sabo jewellery time, we hope to frequent basis!

    ReplyDelete
  3. You can also use gnome-keyring, which can do everything for you.
    It creates key (with optional passphrase), handles server upload (you just need to give him your remote account details - password and username) and works flawlessly.

    ReplyDelete
  4. Using SCP will overwrite authorized_keys on the remote host, so something more like this would probably be better:
    cat ~/.ssh/id_rsa.pub | ssh user@host sh -c 'cat >> ~/.ssh/authorized_keys'

    ReplyDelete