Key-Based SSH Login (Optionaly with No Passphrase)
Note! OpenSSH was used in these examples! Your mileage may vary!
Goal 1: log onto destination.com from source.com using RSA public/private key cryptography (bypassing destination.com's /etc/password).
Starting on machine named source.com:
Generate an rsa private/public key pair. The private key is kept encrypted in a file to keep it safe; you enter the passphrase that ssh will prompt for whenever it requires your private key to do some decryption. Note how, in this example, I enter a passphrase when prompted.
[someuser@source.com ~]$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/someuser/.ssh/id_rsa): # just press enter Created directory '/home/someuser/.ssh'. Enter passphrase (empty for no passphrase): ******* Enter same passphrase again: ******* Your identification has been saved in /home/someuser/.ssh/id_rsa. Your public key has been saved in /home/someuser/.ssh/id_rsa.pub. The key fingerprint is: a7:bf:31:fe:63:70:d9:d7:b0:65:e8:b1:e6:a1:1a:b6 someuser@source.com
Now let's copy our public key up to destination.com, where we want to be able to log in using private/public key cryptography.
[someuser@source.com ~]$ scp .ssh/id_rsa.pub someuser@destination.com: The authenticity of host 'destination.com (64.34.162.151)' can't be established. RSA key fingerprint is 38:ab:c0:91:3a:47:50:8f:e5:2b:01:27:12:62:dc:70. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'destination.com,64.34.162.151' (RSA) to the list of known hosts. someuser@destination.com's password: ******* id_rsa.pub 100% 236 0.2KB/s 00:00
Now log into destination.com.
[someuser@source.com ~]$ ssh someuser@destination.com someuser@destination.com's password: Last login: Fri Aug 26 21:56:19 2005 from source.com
I did not already have an .ssh directory in my home directory; you may already.
[someuser@destination.com ~]$ mkdir .ssh
WARNING! Because I know .ssh/authorized_keys does not exist, I know that I can clobber it! I just copy id_rsa.pub to that file. You may need to concatenate it to the end of .ssh/authorized_keys if that file already exists in your home directory.
[someuser@destination.com ~]$ cp id_rsa.pub .ssh/authorized_keys
WARNING! Pay close attention to file permissions in this next section; ssh will *refuse* to do public key signon, and will fall back to password signon, if any of these file permissions is incorrect!
I want to ensure my user is the only user reading and writing my authorized keys file.
[someuser@destination.com ~]$ chmod 600 .ssh/authorized_keys
I want to ensure my user is the only user reading and writing files in my .ssh directory:
[someuser@destination.com ~]$ chmod 700 .ssh
I want to ensure the ssh daemon can see my ssh config files. This actually entails opening up file permissions on your home directory compared to the defaults of some distributions like Fedora!
[someuser@destination.com ~]$ ls -l /home drwx------ 3 someuser someuser 4096 Jun 9 2006 someuser # sshd cannot read! [someuser@destination.com ~]$ chmod 755 /home/someuser [someuser@destination.com ~]$ ls -l /home drwxr-xr-x 23 someuser someuser 4096 Apr 13 22:06 someuser # that's better
Now I want to exit my connection so that I can test connecting using RSA public/private key cryptography.
[someuser@destination.com ~]$ exit Connection to destination.com closed.
Here goes...
[someuser@source.com ~]$ ssh someuser@destination.com Enter passphrase for key '/home/someuser/.ssh/id_rsa': ******* Last login: Sat Aug 27 21:28:59 2005 from 66.135.32.165
Note how, above, I was prompted for the passphrase to my private key, and not for the password in destination.com's /etc/password file!
This means it worked!
Goal 2: Make it so that you only have to enter your passphrase once per session.
When you very first log on to your account, and, especially before you start X (you do keep your computer at run-level 3, don't you?), do the following:
[someuser@source ~]$ ssh-agent $SHELL [someuser@source ~]$ ssh-add Enter passphrase for /home/someuser/.ssh/id_rsa: ******** Identity added: /home/someuser/.ssh/id_rsa (/home/someuser/.ssh/id_rsa) [someuser@source ~]$
Goal 3: Make decrypting your private key not require a passphrase. (This is handy for situations where you need automated logins and where using ssh-agent is not practical.)
Solution: At the step, above, where you generate your private key
(ssh-keygen -t rsa), just press enter when prompted
for a passphrase. It's that easy!
Warning: You must keep your private key especially safe when you do not have it protected by a passphrase!