Use Rsa Key To Ssh

by



By: Karsten M. Self
Written: Fri Aug 4, 2000
Modified: 2008/11/06 20:35:46

  1. Use Rsa Key To Ssh Command
  2. Add Rsa Key Ssh

Ssh-keygen is a tool for creating new authentication key pairs for SSH. This is a tutorial on its use, and covers several special use cases. Laptop1: yourname$ ssh-keygen Generating public/private rsa key pair. You'll be prompted to choose the location to store the keys. The default location is good unless you already have a key. Press Enter to choose the default location.

What:

Allow secure, authenticated remote access, file transfer, and command execution without having to remember passwords for each individual host you connect to.

Who:

All users needing remote access or data. All platforms -- SSH is available for Linux, Unix, Windows, and Macintosh. A comprehensive list of clients is available from http://linuxmafia.com/pub/linux/security/ssh-clients.

Why:

It's the Right Thing to Do ™.

In a networked world, remote access is a reality we have to deal with. Remembering passwords to myriad systems is inconvenient at best, and leads to bad practices at worst -- shared passwords, shared accounts, and other evils -- which are a significant source of security threats.

RSA authentication is both convenient (one passphrase, or if you choose, no passphrase), allows access to many systems. Remote actions such as programs and file transfers can be automated so that you don't have to 'be there' when long processes occur. If access from a specific user or host needs to be curtailed, the specific RSA key can be removed from the authorized_keys file without requiring password changes of all other users.

Where accounts must be shared, RSA authentication provides an additional audit trail and level of control over who is accessing the account. Again, if access from a specific location or user needs to be curtailed, the appropriate key can be removed from the authorized_keys list without disrupting access for other users. While this is possible, I still strongly recommend that alternative methods for privileged or shared access, such as sudo be used.

How:

And all of this you can do in three easy steps (0 and 4 are not included in the enumeration, and 5 is right out)!

Use Rsa Key To SshUse

Prerequisite: the remote system needs to have ssh installed and sshd running, with RSA authentication enabled. This is the default configuration, and is typically specified with the option:

RSAAuthentication yes

...in /etc/ssh/sshd_config. If you have problems, contact the system's administrator.

Zeroth step: You will need ssh installed on your computer. Procedures for doing this vary by Linux and/or Unix (or other OS) distribution. Refer to system documentation for details.

  1. Create a local RSA key:

    $ ssh-keygen

    Follow the prompts, this takes a few seconds as your computer gathers entropy from the system.

    You will be asked to supply a passphrase. While you can elect to choose a null passphrase. I would recommend you do supply a passphrase as it provides additional security -- your key is not useful without it. The upside is that you only have to remember this one passphrase for all the systems you access via RSA authentication. You can change the passhrase later with 'ssh-keygen -p'. Note that you can use ssh-agent to enable logging in with a password-protected key and not have to enter a password every time (you feed the password once with the ssh-add utility).

    This is typically stored in your home directory under .ssh/id_rsa. After doing this, a directory listing of ~/.ssh should look like:


  2. Copy the public key id_rsa.pub to the hosts you wish to access remotely. You can do this by any method you like, one option is to use scp, naming the key to indicate your present host:

    $ scp .ssh/id_rsa.pub remote-user@remote.host:local-host.ssh

    e.g.: I might name a key for my host 'navel' navel.ssh.

  3. Connect to the remote host. You don't have RSA authentication enabled yet, so you'll have to use an old method such as walking up to the terminal or supplying a password. Add the new hostkey to the file .ssh/authorized_keys.


    $ cat local-host.ssh >> .ssh/authorized_keys

    Note the use of two right-angles '>' -- this will add the contents of local-host.ssh to a preexisting file, or create the file if it already exists.

    Check the permissions of .ssh/authorized_keys, it must be as below or you won't be able to use RSA authentication:

    And you're all set!

  4. Test the method by logging out of the remote server and trying to connect to it via ssh:

    $ ssh remote-user@remote-host

    You may be prompted for your RSA key passphrase, but you won't need a remote password to connect to the host. If you are prompted for a password, or your connection is refused, something is wrong, and you'll want to refer to the troubleshooting section below.

You can repeat steps 1 - 3 for each remote host you wish to connect from.

More information:

  • man ssh
  • man ssh-keygen
  • man sshd
  • man ssh-agent
  • man ssh-add

Troubleshooting: If Something Breaks

You get to keep the pieces.

A common error is to have file permissions set wrong somewhere.

  • Your .ssh directory may be writable only by you, but needs group and world read permissions.
  • Your private key cannot be readable by anyone but you.
  • Your public key cannot be writeable by anyone but you, but needs group and world read permissions.

...problems with any of these permissions may mean you cannot log in to a system. The permissions need to be correct at both sides of the connection. You can get diagnostics by invoking your connection with the verbose '-v' flag:


$ ssh -v remote-user@remote-host

Successful output looks like:


Use Rsa Key To Ssh Command

...if you see lines indicating refusals or incorrect permissions, track down and correct the problem.

Add Rsa Key Ssh


Home
mail: kmself@ix.netcom.com
Last updated 2008/11/06 20:35:46