SSH Key Based Authentication
UPDATE: Added basics section to try to give a nicer overview, feel free to email me any feedback on this post
A friend asked about remembering an ssh password in OS X keychain which led me to mentioning ssh keys, I believe OS X only stores those passwords. Decided to try writing a post about them that hopefully is helpful in getting started with using ssh key authentication.
Basics
First, a little about key based authentication. SSH has a few ways of handling authentication, a lot of people I think use just the password based authentication, this is what will probably be used when you first setup SSH too. There's a few other options, including ability to tell the server only to accept certain ones. One of the choices is public key authentication which can be more secure and allow for some conveniences on the client side.
With public key authentication, you have both a private and public key on your client machine, and the server has to be told if your public key is authorized. When connecting, your public key will be sent to the server and it will check if it's authorized and if your ssh client can prove it has the private key. (Not sure if it's used in the actual encryption)
Setting public key authentication up takes a bit but can be much nicer than just using password authentication. We have a few steps to follow, you'll have to repeat per client machine you use, at least that'd be more secure than copying a key to each:
- Create a new key pair on your client machine (ssh-keygen command)
- Copy the public key to the server (~/.ssh/id_rsa.pub)
- Add the public key contents to your user's ~/.ssh/authorized_keys file, creating it if it doesn't exist
I'm hoping to write some useful shell scripts to streamline the last 2 steps into a simple command, I'll share that if I finish it or find a similar existing method.
Below I go into more detail about setting it all up.
Creating a key pair
First you need to make a key pair if you haven't already, you can just type the simple keygen command wi th no gas, default will be to do rsa keys, changeable via -t flag. I believe rsa is the better choice anyway.
ssh-keygen
You'll be asked where to store the files but just hit enter to accept default. You'll then be asked for a passphrase which you can leave blank. You might want to have one, it'll be safer if someone did manage to get your private key. You can always store the passphrase in things like OS X keychain to have passwordless ssh login. OS X 10.6 has support for this and there's probably some similar utilities for other OSes. This involves an ssh-agent which I'll probably go into later.
Now you'll have 2 files:
- ~/.ssh/id_rsa
- ~/.ssh/id_rsa.pub
The .pub file is your public key which you use to identify and allow your machine access to servers or services like github. The other file is your private key which you want to keep safe. When connecting to an ssh server, your private key will be used to encrypt communication if the server has your public key in an authorized keys file.
Making a key authorized
Every server you want to access using this key you have to copy the id_rsa.pub file to and put the contents in a specific file for your user. This is the users authorized keys file: ~/.ssh/authorized_keys
This file can contain one public key per line, typically you might have a key per computer you use.
Easiest way to get this to a server is to scp it, then we have to append it to our authorized keys file:
scp ~/.ssh/id_rsa.pub server:mykey
Then ssh to server and append it to authorized keys, creating ~/.ssh directory of it doesn't exist:
ssh server
mkdir -p ~/.ssh
cat mykey >> ~/.ssh/authorized_keys
Now if you logout and back in, it should either ask you for your key's password or no password at all if you left it blank. On OS X 10.6 this will be via a GUI panel, or similar on other OSes with a GUI ssh-agent setup.
SSH Agent
This isn't necessary to know about but might be helpful for some. An ssh-agent is actually what's running on OS X to allow the password panel that pops up and keychain support. It also doesn't ask you for the key's password repeatedly for a duration if you do multiple connections. It's job is to hold onto private keys for a time period so you don't have to continually enter your password.
There may be cases where you might want to use the ssh-agent command. I use this on a remote server so I only have to enter my key password once. I'll be doing a follow up post more on this I think as I need to review some pieces.
03:23 PM | Tags: shell, ssh, sysadmin, servers