SSH Known Hosts Editing

Following up on my last 2 posts about SSH key based authentication, here's some more useful SSH commands to manage the known hosts file that I didn't know about before.

The known hosts file, located at ~/.ssh/known_hosts, is where server public keys end up when you say "yes" to accepting a host key upon connecting to a server you've never connected to before. Chances are your file is full of keys by now if you connect to a lot of different machines. If you need to remove a key for a server change or if you no longer use the server, you can easily clean it up without editing the file directly.

You can first check if the host is even in the file:

ssh-keygen -F jfro.me

This will display the entry from the file if found. You can remove it with this command:

ssh-keygen -R jfro.me

Unfortunately it's not as easy if you use non-standard ports, it has to be an exact match to the host entry in the file:

ssh-keygen -R "[example.com]:1234"

SSH Public Key Uploading Script

After my previous post, I realized I've wanted a simple way of uploading & authorizing my public key on new servers. After some searching I found a script that I tweaked a bit and put it on gist.

This gist has 2 versions, one is a shell function, the other a shell script. For some people it'll probably be easier just grabbing the script and putting it in their path like at /usr/local/bin/sshput. Some might like putting it in their zshrc, profile, etc. as a shell function which is what I did.

First file is function, second is the script:

• sshput gist

After it's installed, you can easily upload & authorize your public key on a new server:

sshput myserver.local

It'll ask for your password for the server, then transfer the key and append it to ~/.ssh/authorized_keys on the server. By default the script uploads your rsa or dsa key but you can specify a specific key:

sshput ~/.ssh/github_key.pub myserver.local

Hope that helps out with making ssh key authentication easier, I definitely like having a 1 step setup for authorizing a key now.

SSH Key Based Authentication

UPDATE: Added basics section to try to give a nicer overview, feel free to email me any feedback on this post

A friend asked about remembering an ssh password in OS X keychain which led me to mentioning ssh keys, I believe OS X only stores those passwords. Decided to try writing a post about them that hopefully is helpful in getting started with using ssh key authentication.

Basics

First, a little about key based authentication. SSH has a few ways of handling authentication, a lot of people I think use just the password based authentication, this is what will probably be used when you first setup SSH too. There's a few other options, including ability to tell the server only to accept certain ones. One of the choices is public key authentication which can be more secure and allow for some conveniences on the client side.

With public key authentication, you have both a private and public key on your client machine, and the server has to be told if your public key is authorized. When connecting, your public key will be sent to the server and it will check if it's authorized and if your ssh client can prove it has the private key. (Not sure if it's used in the actual encryption)

Setting public key authentication up takes a bit but can be much nicer than just using password authentication. We have a few steps to follow, you'll have to repeat per client machine you use, at least that'd be more secure than copying a key to each:

1. Create a new key pair on your client machine (ssh-keygen command)
2. Copy the public key to the server (~/.ssh/id_rsa.pub)
3. Add the public key contents to your user's ~/.ssh/authorized_keys file, creating it if it doesn't exist

I'm hoping to write some useful shell scripts to streamline the last 2 steps into a simple command, I'll share that if I finish it or find a similar existing method.

Below I go into more detail about setting it all up.

Creating a key pair

First you need to make a key pair if you haven't already, you can just type the simple keygen command wi th no gas, default will be to do rsa keys, changeable via -t flag. I believe rsa is the better choice anyway.

ssh-keygen

You'll be asked where to store the files but just hit enter to accept default. You'll then be asked for a passphrase which you can leave blank. You might want to have one, it'll be safer if someone did manage to get your private key. You can always store the passphrase in things like OS X keychain to have passwordless ssh login. OS X 10.6 has support for this and there's probably some similar utilities for other OSes. This involves an ssh-agent which I'll probably go into later.

Now you'll have 2 files:

• ~/.ssh/id_rsa
• ~/.ssh/id_rsa.pub

The .pub file is your public key which you use to identify and allow your machine access to servers or services like github. The other file is your private key which you want to keep safe. When connecting to an ssh server, your private key will be used to encrypt communication if the server has your public key in an authorized keys file.

Making a key authorized

Every server you want to access using this key you have to copy the id_rsa.pub file to and put the contents in a specific file for your user. This is the users authorized keys file: ~/.ssh/authorized_keys

This file can contain one public key per line, typically you might have a key per computer you use.

Easiest way to get this to a server is to scp it, then we have to append it to our authorized keys file:

scp ~/.ssh/id_rsa.pub server:mykey

Then ssh to server and append it to authorized keys, creating ~/.ssh directory of it doesn't exist:

ssh server
mkdir -p ~/.ssh
cat mykey >> ~/.ssh/authorized_keys

Now if you logout and back in, it should either ask you for your key's password or no password at all if you left it blank. On OS X 10.6 this will be via a GUI panel, or similar on other OSes with a GUI ssh-agent setup.

SSH Agent

This isn't necessary to know about but might be helpful for some. An ssh-agent is actually what's running on OS X to allow the password panel that pops up and keychain support. It also doesn't ask you for the key's password repeatedly for a duration if you do multiple connections. It's job is to hold onto private keys for a time period so you don't have to continually enter your password.

There may be cases where you might want to use the ssh-agent command. I use this on a remote server so I only have to enter my key password once. I'll be doing a follow up post more on this I think as I need to review some pieces.