the itjerk

my adventures with technology

Monthly Archives: November 2009

ssh-keygen

There's a couple of reasons to use keys for ssh connectivity, but not entering a password has to be at the top of the list.

[EDIT: This first part was written for MAC OS X].
First, create a key pair with dsa encryption on your local machine: BTW, I didn't enter a passphrase because I don't want to enter one later when I connect. Make sure you have a secure console if you skip this option.

one:~ one$ ssh-keygen -t dsa
one:~ one$ ls .ssh
id_dsa      id_dsa.pub	        known_hosts

Copy the public key to the remote server you wish to connect to:

one:~ one$ scp .ssh/id_dsa.pub user@two:~
Password:
id_dsa.pub                                    100%  635     0.6KB/s   00:00  

ssh to the remote server, and move the key to the right place and fix permissions so only the user you logged in as can use it:

one:~ one$ ssh user@two
Password:
two:~ user$ mv id_dsa.pub .ssh/authorized_keys
two:~ user$ chmod 600 .ssh/authorized_keys 

if you have more than one key, then you need to cat them onto authorized_keys:

cat new_key.pub >> .ssh/authorized_keys

Now log in to the remote server and you won't be prompted for a password! It may also be a good idea to regenerate the keys after a period of time, especially if you don't use a passphrase.

[EDIT: This was revised for Ubuntu/Raspian] Create a key pair with rsa encryption on your local machine (this is the machine you will login FROM, e.g. one): BTW, I didn't enter a passphrase because I don't want to enter one later when I connect. Make sure you have a secure console if you skip this option.

one:~ one$ ssh-keygen -t rsa
one:~ one$ ls .ssh
id_rsa      id_rsa.pub	        known_hosts
one:~ one$ ssh-add
Identity added: /home/one/.ssh/id_rsa (/home/one/.ssh/id_rsa)

Copy the public key to the remote server you wish to connect TO, e.g. two:

one:~ one$ scp .ssh/id_rsa.pub user@machine_two:~
Password:
id_rsa.pub                                    100%  635     0.6KB/s   00:00  

ssh to the remote server, cat the key to the right location, and fix permissions so only the user you logged in as can use it:

one:~ one$ ssh user@machine_two
Password:
machine_two:~ user$ cat id_rsa.pub >> .ssh/authorized_keys
machine_two:~ user$ chmod 600 .ssh/authorized_keys
machine_two:~ user$ rm .id_rsa.pub

If you're using an encrypted home folder (as you very well should), you'll need a couple of extra steps to get everything to work.

First, create a folder /etc/ssh/<user name>, chown it to <user name> and give it 755 permissions. Next, copy the authorized_keys file to it, ensure <user name> owns it and give it 644 permissions. Then, add this line in your /etc/ssh/sshd_config file:

AuthorizedKeysFile /etc/ssh/%u/authorized_keys

Restart the ssh service and you should be good to go. Note that you will need to mount your encrypted home folder once you ssh in (ecryptfs-mount-private).