SSH

I hate having to type passwords. If you do too, then read on to learn how to more securely login via SSH. A method which also happens to ease the need to type your password over and over.

Public-Key Authentication

Public-key authentication uses a pair of keys, one private and one public.

The private key resides on your local computer. This should be closely guarded because someone getting it is equivalent to stealing your password. Always use a passphrase to safeguard your private key. This encrypts your private key so that even if someone obtains it they will not be able to use it (don't worry with a little effort you won't have to type this in as frequently as a password – stay tuned for ssh-agent).

During authentication your private key and public key exchange some information and if they match against a cryptographic test, you are authenticated.

Detailed information can be found about this and all following topics in SSH, The Secure Shell: The Definitive Guide.

Users of PuTTY will want to follow the instructions given here. Be sure you use an RSA key for use with the SSH 2 protocol.

So, what do I do on my computer?

First thing is to generate your key pair. You will be prompted for a passphrase when you do and I cannot say it enough, use a passphase. Good passphrases are 10-30 characters long, are not simple sentences or otherwise easily guessable. Also, please note that there is no way to recover a lost passphrase. If you lose or forget your passphrase, a new key must be generated and copied to the corresponding public key on the server.

The command to create your key pair is

your_computer ~: ssh-keygen -t rsa

The -t rsa option tells ssh-keygen to create an RSA (Rivest-Shamir-Adleman) key, which is what you need on our servers (and is widely considered more secure than DSA)

Here is the typical output you should see, after executing recommmended steps to create your key pair on your local computer

your_computer ~: mkdir ~/.ssh
your_computer ~: chmod 700 ~/.ssh
your_computer ~: cd ~/.ssh
your_computer ~: ssh-keygen -t rsa
Generating public/private rsa key pair

Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_rsa.
Your public key has been saved in id_rsa.pub.
The key fingerprint is:
17:5a:e7:77:ad:2c:0b:8e:f3:97:f8:20:53:79:69:55 user@my_local_computer

Make sure your private key is only readable by you (e.g., chmod 400 ~/.ssh/id_rsa)

And I do what on my server account?

Place a copy of your public key in your server account in ~/.ssh/authorized_keys

First you need to make the directory ~/.ssh and make sure it can only be used by you.

You can do this by executing the following once you login via ssh to your server account…

user@host ~: mkdir ~/.ssh
user@host ~: chmod 700 ~/.ssh

Second, you need to get your public key to the server

There are a couple of ways to do this. You can either scp it over or copy and paste. If you copy and paste it over the key must be all on one line.

To secure copy (scp) it over , just do

scp id_rsa.pub user@server:/home/user/.ssh 

from your local computer. Where user is the ssh name included in your welcome email. You will need to supply your ssh password.

Then you will need to rename id_rsa.pub to authorized_keys

user@host ~: mv ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys

To copy and paste, just do cat id_rsa.pub on your local computer and copy the output. Then create the ~/.ssh/authorized_keys file on your server account (e.g., login via ssh and execute touch ~/.ssh/authorized_keys ; chmod 644 ~/authorized_keys and paste with your favorite editor on your server account into ~/.ssh/authorized_keys. Again, make sure the public key is on one line.

ssh-agent or, I do not want to enter a passphrase all the time either

ssh-agent is a program to hold private keys used for public key authentication. The idea is that ssh-agent is started in the beginning of a login session, and all other windows or programs are started as clients to the ssh-agent program. Environment variables allow the agent to be located and used for authentication.

First, you need to start the agent and use a shell that knows the environment variables. For example,

your_computer ~: ssh-agent /bin/tcsh

Or you can get the environment variables and eval them in your current shell

your_computer ~: ssh-agent
setenv SSH_AUTH_SOCK /tmp/ssh-wRpuCNd2/agent.34050;
setenv SSH_AGENT_PID 34051;
echo Agent pid 34051;
your_computer ~: eval setenv SSH_AUTH_SOCK /tmp/ssh-wRpuCNd2/agent.34050;
your_computer ~: eval setenv SSH_AGENT_PID 34051;

Then you need to add your private-key to the ssh-agent. You do this with ssh-add. If no key name is given as an argument the key id_rsa will be added. You will also be prompted for your private key's passphrase.

your_computer ~: ssh-add
Enter passphrase for /home/your_user/.ssh/id_rsa:
Identity added: /home/your_user/.ssh/id_rsa (/home/your_user/.ssh/id_rsa)

Now you can login to the server just by ssh user@host. When you are finished with the ssh-agent, you can close it by:

your_computer ~: ssh-agent -k
unsetenv SSH_AUTH_SOCK;
unsetenv SSH_AGENT_PID;
echo Agent pid 34051 killed;

(slightly altered from: http://bose.utmb.edu/Compu_Center/ssh/SSH_HOWTO.html)