OpenSSH Public Key Authentication

Posted in Linux Corner on March 16th, 2010 by Friedrich Schäuffelhut – Be the first to comment

I use ssh since the mid 90ies when I first heard of it, dumping rsh and friends. Public key authentication feels natural to me and I use it on every machine I have access to. But I’m always amazed how many people do not know how to deal with ssh public key authentication. But hey it is simple, so don’t be scared!

To use public key authentication you obviously need a key, precisely a pair of keys, a private and a public one. You’ll keep the private one secret and protect it by a passphrase. The public one is the one you’ll copy onto an other machine, so it can verify it’s you who wants to login.

1. Creating your key

How do you create your key pair? If using OpenSSH simply type ssh-keygen at your shell prompt and press return. To accept the proposed key file name and location hit return, then type in your passphrase hit return, retype your passphrase hit return and you are done. In detail the chat will look as following (what you have to type is shown in bold, [RETURN] means hit return):

localhost:~/.ssh$ ssh-keygen[RETURN]
Generating public/private rsa key pair.
Enter file in which to save the key (/home/guest/.ssh/id_rsa): [RETURN]
Enter passphrase (empty for no passphrase): Some Passphrase[RETURN]
Enter same passphrase again: Some Passphrase[RETURN]
Your identification has been saved in /home/guest/.ssh/id_rsa.
Your public key has been saved in /home/guest/.ssh/id_rsa.pub.
The key fingerprint is:
2b:01:d0:36:16:a0:c8:85:48:1e:41:56:ca:23:2d:55 guest@sandstorm
The key's randomart image is:
+--[ RSA 2048]----+
|+*B*E.           |
|B=+.=            |
|=*.o..           |
|...  .           |
|      . S        |
|       . .       |
|      . .        |
|       .         |
|                 |
+-----------------+

2. Installing your public key on a remote machine

Installing your public key on a remote machine involves two steps:

  1. Copying the public key onto the remote machine
  2. Appending the public key to the ~/.ssh/authorized_keys file.

There are several ways of achieving this. I’ll show two methods here. One is ssh-copy-id. The other
one is the manual approach using scp, ssh and cat.

2.1 Using ssh-copy-id:

For quite a while now OpenSSH ships with a convenient tool called ssh-copy-id. It will do all the magic for you and install your public key onto a remote host (provided you may log into the remote machine using a user name and password). As it is so convenient I prefer using ssh-copy-id whenever possible. Here is who it works:

localhost:~$ ssh-copy-id -i .ssh/id_rsa.pub account@ip-or-hostname[RETURN]
Password: Your Password[RETURN]
Now try logging into the machine, with "ssh 'account@ip-or-hostname'", and check in:

  .ssh/authorized_keys

to make sure we haven't added extra keys that you weren't expecting.

localhost:~$

That’s it. You may now log into the remote machine. But from now on you’ll be asked for the passphrase of your key instead of your account password.

localhost:~$ ssh  account@ip-or-hostname[RETURN]
Enter passphrase for key '/home/guest/.ssh/id_rsa':
Last login: Wed Mar 17 17:23:41 2010 from localhost
remotehost:~$

2.2 The manual method:

ssh-copy-id may not always be available. It might be you’re not allowed to log into your account directly using a user name and password. There are many reasons why ssh-copy-id might not work for you. So I present the manual method which you might need to change according to your environment and needs.

First copy your public key. It will be located at ~/.ssh/id_rsa.pub if you accepted the default key name and location upon key creation.

localhost:~$ scp .ssh/id_rsa.pub account@ip-or-hostname:key.pub[RETURN]
Password: Type Your Password[RETURN]
id_rsa.pub                                    100%  397     0.4KB/s   00:00

Next you’ll have to log into the remote machine and append the transfered key to the ~/.ssh/authorized_keys file. The following snipped will also make sure the ~/.ssh directory exists in your home directory.

localhost:~$ ssh  account@ip-or-hostname[RETURN]
Last login: Wed Mar 17 17:12:14 2010 from localhost
remotehost:~$ [ -d ~/.ssh ] || ( mkdir ~/.ssh; chmod 700 ~/.ssh )[RETURN]
remotehost:~$ ls -ld .ssh[RETURN]
drwx------ 2 guest users 4096 2010-03-17 17:18 .ssh
remotehost:~$ cat key.pub >> ~/.ssh/authorized_keys[RETURN]
remotehost:~$ exit[RETURN]

Done! Now you may log into the remote machine again. But from now on you’ll be asked for the passphrase of your key instead of your account password.

localhost:~$ ssh  account@ip-or-hostname[RETURN]
Enter passphrase for key '/home/guest/.ssh/id_rsa':
Last login: Wed Mar 17 17:23:41 2010 from localhost
remotehost:~$

Of course you could achieve the same thing with a single command, piping the contents of .ssh/id_rsa through the ssh connection directly into cat. This also avoids creating a temporary file holding the public key on the remote host.

localhost:~$ cat ~/.ssh/id_rsa.pub | ssh account@ip-or-hostname '[ -d ~/.ssh ] || ( mkdir ~/.ssh; chmod 700 ~/.ssh ); cat - >> ~/.ssh/authorized_keys'[RETURN
Password:
localhost:~$

As I said, there are many ways to get the job done.

Leave a Reply


* seven = 56