Saturday, January 22, 2011

Setting up SSH keys

If you manage more than one or two hosts, you likely have to type the same password too often. SSH allows you to setup a public and private keypair. Using these keys, you can connect to any host which has the public key, from any host which has the private key, typing your password only once.

The first thing you must do is generate a keypair. You should be able to do this with the command ssh-keygen -t rsa. Example:

flaca@anneke:~$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/flaca/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/flaca/.ssh/id_rsa.
Your public key has been saved in /home/flaca/.ssh/id_rsa.pub.
The key fingerprint is:
95:40:8e:c4:ad:5e:a2:74:6d:5e:86:71:c7:91:d7:aa flaca@flaca-laptop
The key's randomart image is:
+--[ RSA 2048]----+
|     ..oo  ..o . |
|     ..oo...+ . .|
|      .o.+o. . . |
|    . + =.o   .  |
|   . + =So   .   |
|    . . .   E    |
|                 |
|                 |
|                 |
+-----------------+
flaca@anneke:~$ 

The private key is in a file named id_rsa, the public key is named id_rsa.pub. Both files are stored in the .ssh directory, inside the user home directory, or ~/.ssh

flaca@anneke:~$ ls -l ~/.ssh/
total 12
-rw------- 1 flaca flaca 1766 2011-01-22 13:11 id_rsa
-rw-r--r-- 1 flaca flaca  410 2011-01-22 13:11 id_rsa.pub
-rw-r--r-- 1 flaca flaca  442 2011-01-22 12:48 known_hosts
flaca@anneke:~$ 

Now all we have to do is install the public key. First, we going to install it on the host which we generated the key. (Its not installed automatically, even on the host you create it on.) All we need to do, is go into the ~/.ssh/ directory and create a file called authorized_keys, with the contents of the public key, id_rsa.pub.

flaca@anneke:~$ cd ~/.ssh/
flaca@anneke:~/.ssh$ cat id_rsa.pub > authorized_keys
flaca@anneke:~/.ssh$ chmod 600 authorized_keys
flaca@anneke:~/.ssh$

As you can see below, we'll now able to use the key. It asks for a passphrase every time we login. (NOTE: The passphrase is NOT the users password. The passphrase is whatever you entered when you generated the key.) We will eliminate down the page a few paragraphs.

flaca@anneke:~/.ssh$ ssh flaca@anneke
Enter passphrase for key '/home/flaca/.ssh/id_rsa':
Last login: Sat Jan 22 13:27:26 2011 from 192.168.1.103
flaca@anneke:~$ exit
logout
Connection to www closed.

If your comfortable installing the key, skip to the next paragraph. We'll now going to install the key on a remote host.

flaca@anneke:~/.ssh$ cat id_rsa.pub | ssh 192.168.1.100 'cd .ssh; cat >> authorized_keys; chmod 600 authorized_keys'
flaca@192.168.1.100's password: 
flaca@anneke:~/.ssh$ 

Note: if the .ssh directory does not exist, you may need to add “test -d .ssh || mkdir .ssh && chmod 700 .ssh” to your command.

You can use ssh-agent to startup a process which will store your key while logged in. This allows you to type the password to a key once, at login. After this, ssh will communicate with the ssh-agent to obtain the credentials needed. Below is a manual example.

flaca@anneke:~/.ssh$ eval `ssh-agent`
Agent pid 4334
flaca@anneke:~/.ssh$ ssh-add ~/.ssh/id_rsa
Enter passphrase for /home/flaca/.ssh/id_rsa: 
Identity added: /home/flaca/.ssh/id_rsa (/home/flaca/.ssh/id_rsa)
flaca@anneke:~/.ssh$ ssh 192.168.1.100
Linux anakin 2.6.31-22-generic #71-Ubuntu SMP Thu Jan 6 22:47:22 UTC 2011 i686


To access official Ubuntu documentation, please visit:
http://help.ubuntu.com/


Last login: Sat Jan 22 13:24:17 2011 from 192.168.1.103


flaca@anakin:~$ logout
Connection to 192.168.1.100 closed.
flaca@anneke:~/.ssh$ 

A more useful method is to have it startup when you login and die when you logout. The following code can be placed in your .bash_profile to achieve this:

if [ -z "$SSH_AUTH_SOCK" ]; then
 eval `ssh-agent`
 trap "kill $SSH_AGENT_PID" 0
fi

I hope this post will be useful for you! Stay Heavy, my tuxs friends.