I hate having to type passwords. If you do too, then read on to learn how to more securely login via SSH. A method which also happens to ease the need to type your password over and over.
Public-key authentication uses a pair of keys, one private and one public.
The private key resides on your local computer. This should be closely guarded because someone getting it is equivalent to stealing your password. Always use a passphrase to safeguard your private key. This encrypts your private key so that even if someone obtains it they will not be able to use it (don't worry with a little effort you won't have to type this in as frequently as a password – stay tuned for ssh-agent).
During authentication your private key and public key exchange some information and if they match against a cryptographic test, you are authenticated.
Detailed information can be found about this and all following topics in SSH, The Secure Shell: The Definitive Guide.
Users of PuTTY will want to follow the instructions given here. Be sure you use an RSA key for use with the SSH 2 protocol.
So, what do I do on my computer?
First thing is to generate your key pair. You will be prompted for a passphrase when you do and I cannot say it enough, use a passphase. Good passphrases are 10-30 characters long, are not simple sentences or otherwise easily guessable. Also, please note that there is no way to recover a lost passphrase. If you lose or forget your passphrase, a new key must be generated and copied to the corresponding public key on the server.
The command to create your key pair is
your_computer ~: ssh-keygen -t rsa
The -t rsa option tells ssh-keygen to create an RSA (Rivest-Shamir-Adleman) key, which is what you need on our servers (and is widely considered more secure than DSA)
Here is the typical output you should see, after executing recommmended steps to create your key pair on your local computer
your_computer ~: mkdir ~/.ssh your_computer ~: chmod 700 ~/.ssh your_computer ~: cd ~/.ssh your_computer ~: ssh-keygen -t rsa Generating public/private rsa key pair Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in id_rsa. Your public key has been saved in id_rsa.pub. The key fingerprint is: 17:5a:e7:77:ad:2c:0b:8e:f3:97:f8:20:53:79:69:55 user@my_local_computer
Make sure your private key is only readable by you (e.g., chmod 400 ~/.ssh/id_rsa)
And I do what on my server account?
Place a copy of your public key in your server account in ~/.ssh/authorized_keys
First you need to make the directory ~/.ssh and make sure it can only be used by you.
You can do this by executing the following once you login via ssh to your server account…
user@host ~: mkdir ~/.ssh user@host ~: chmod 700 ~/.ssh
Second, you need to get your public key to the server
There are a couple of ways to do this. You can either scp it over or copy and paste. If you copy and paste it over the key must be all on one line.
To secure copy (scp) it over , just do
scp id_rsa.pub user@server:/home/user/.ssh
from your local computer. Where user is the ssh name included in your welcome email. You will need to supply your ssh password.
Then you will need to rename id_rsa.pub to authorized_keys
user@host ~: mv ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
To copy and paste, just do cat id_rsa.pub on your local computer and copy the output. Then create the ~/.ssh/authorized_keys file on your server account (e.g., login via ssh and execute touch ~/.ssh/authorized_keys ; chmod 644 ~/authorized_keys and paste with your favorite editor on your server account into ~/.ssh/authorized_keys. Again, make sure the public key is on one line.
ssh-agent or, I do not want to enter a passphrase all the time either
ssh-agent is a program to hold private keys used for public key authentication. The idea is that ssh-agent is started in the beginning of a login session, and all other windows or programs are started as clients to the ssh-agent program. Environment variables allow the agent to be located and used for authentication.
First, you need to start the agent and use a shell that knows the environment variables. For example,
your_computer ~: ssh-agent /bin/tcsh
Or you can get the environment variables and eval them in your current shell
your_computer ~: ssh-agent setenv SSH_AUTH_SOCK /tmp/ssh-wRpuCNd2/agent.34050; setenv SSH_AGENT_PID 34051; echo Agent pid 34051; your_computer ~: eval setenv SSH_AUTH_SOCK /tmp/ssh-wRpuCNd2/agent.34050; your_computer ~: eval setenv SSH_AGENT_PID 34051;
Then you need to add your private-key to the ssh-agent. You do this with ssh-add. If no key name is given as an argument the key id_rsa will be added. You will also be prompted for your private key's passphrase.
your_computer ~: ssh-add Enter passphrase for /home/your_user/.ssh/id_rsa: Identity added: /home/your_user/.ssh/id_rsa (/home/your_user/.ssh/id_rsa)
Now you can login to the server just by ssh user@host. When you are finished with the ssh-agent, you can close it by:
your_computer ~: ssh-agent -k unsetenv SSH_AUTH_SOCK; unsetenv SSH_AGENT_PID; echo Agent pid 34051 killed;
(slightly altered from: http://bose.utmb.edu/Compu_Center/ssh/SSH_HOWTO.html)