Articles Home
List articles
Wiki Books
Orphan pages
Backup
How? Read on.
Generating Keys
First, you must have at least one "key pair." I have one of each type which can be used with both SSH protocol versions 1 and 2. To generate your public/private key pairs, you must run ssh-keygen like so:
ssh-keygen -b 4096 -C "$USER@$HOSTNAME `date '+%Y-%m-%d %H:%M %z'`" -t rsa -f ~/.ssh/id_rsa ssh-keygen -b 4096 -C "$USER@$HOSTNAME `date '+%Y-%m-%d %H:%M %z'`" -t rsa1 -f ~/.ssh/identity ssh-keygen -C "$USER@$HOSTNAME `date '+%Y-%m-%d %H:%M %z'`" -t dsa -f ~/.ssh/id_dsa
I recommend using the same passphrase for each. If you're paranoid, you should do this on a freshly-installed system which is not, and has not ever been, plugged into the Internet. Adjust these guidelines to suit your level of paranoia.
Starting the Authentication Agent
You always want to start the authentication agent, ssh-agent, on your local machine, and you should only start a single copy. To accomplish this, I use the following snippit in my .xsession file to check for, and start if needed, the agent process when I login under X:
# Setup ssh environment if [ -f $HOME/.ssh-agent ]; then . $HOME/.ssh-agent fi if (ssh-add -l >/dev/null 2>&1); then echo "Found valid ssh-agent at $SSH_AGENT_PID." else killall ssh-agent rm -f $HOME/.ssh-agent* ssh-agent -s | grep ^SSH > $HOME/.ssh-agent . $HOME/.ssh-agent fi
NOTE: If you run GNOME or KDE, your .xsession file may not be used! If that is the case, try putting the code above in your .bashrc file instead. You may want to comment out the echo statement if it annoys you.
Adding Your Identity
Once you've logged in (and, thanks to the script above, started an ssh-agent process), you need to add your identity to the agent so that it can authenticate you remotely. The ssh-add command, among other things, allows you to do this. Just run it and type your passphrase when prompted.
Remote Host Setup
Now you need to set up your keys on the remote hosts you plan to login to. The mechanism works similarly to the old-fashioned .rhosts mechanism except that your identity is authenticated (i.e., proven) by your knowledge of the passphrase needed to unlock the private key as opposed to simply your UID on the remote system.
As with all public/private key methods, the remote hosts should ONLY be given your public key. Private key files should be restricted to only those local machines from which you plan to (1) launch a separate authentication agent, and (2) ssh to other hosts. In other words, keep your private key only on the local machine!
Here's how you create the necessary files:
cd $HOME/.ssh cat id*.pub > authorized_keys cat id_*.pub > authorized_keys2
Obviously, you should make sure identity.pub, id_dsa.pub, and id_rsa.pub are the only *.pub files you have in your .ssh directory at the time.
Now you just have to put the authorized_keys* files in ~/.ssh on any machine you want to SSH to without a UNIX password. Make sure they're owned by your userid and have permissions 0600!
Forward Your Agent
At this point, you should be able to connect to remote hosts without having to enter a password each time. But wouldn't it be nice if you could SSH from those remote hosts to other remote hosts using the same key-based authentication? You can!
When you connect to a remote host, simply use ssh -A to connect, or make sure your local configuration files have ForwardAgent yes in them.
Comments