Ssh Key Generation

Table of Contents

1 Introduction

The ssh-key mechanism allows you to connect on remote machines through ssh without having to enter your password. This is very convenient for instance when you do a lot of copy (scp) to and from a remote machine.

2 On Linux and Mac OS X

2.1 Creating a new pair of ssh keys

In this example we create an ssh key pair to connect as user from the local machine local to the remote machine remote

$ ssh-keygen -f ~/.ssh/id_rsa_remote -C user@remote
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /Users/user/.ssh/id_rsa_remote.
Your public key has been saved in /Users/user/.ssh/id_rsa_remote.pub.
The key fingerprint is:
2d:f0:5b:ae:05:b5:25:10:f2:f0:c6:67:1b:bc:10:28 user@remote
The key's randomart image is:
+--[ RSA 2048]----+
|      o.+.       |
|    E .* +       |
|     .. * B .    |
|       + *       |
|        B *      |
|         *       |
|        o o      |
|         o       |
|        .        |
+-----------------+

The options for the command are:

  • -f: specifies the name of the files where the keys are going to be saved.
  • -C: adds a comment to the public key so it's easier to identify keys.

ssh-keygen lets you enter an empty passphrase but please do enter a strong passphrase. It will help make the machine more secure.

In this example, two files are created:

  • the private key: ~/.ssh/id_rsa_remote. The private key should not be shared.
  • the public key: ~/.ssh/id_rsa_remote.pub. The public key is what you send to the remote machine.

2.2 Transferring the public key to the remote machine

2.2.1 If you already have access to the machine through ssh

  • On Linux:
    $ ssh-copy-id -i ~/.ssh/id_rsa_remote.pub user@remote
    
  • On Mac (Mac OS does not come with the ssh-copy-id function, so it's a little more involved):
    $ cat ~/.ssh/id_rsa_remote.pub | ssh user@remote "mkdir -p .ssh; chmod 700 .ssh;cat >> .ssh/authorized_keys;chmod 600 .ssh/authorized_keys"
    

2.2.2 If you don't already have ssh access to the remote machine

Send the file ~/.ssh/id_rsa_remote.pub to your system administrator.

2.3 Connecting to the remote machine: ssh-agent

You can connect through ssh by

$ ssh user@remote

but then ssh will ask you for your password every time you connect. Instead you can use ssh-agent which is a program that asks for your passphrase once and remembers it.

2.3.1 Starting ssh-agent

More specifically, ssh-agent is a daemon that runs in the background. To start it:

  • On Mac OS it is started automatically.
  • On Linux: Most Linux desktop (e.g. Gnome, KDE) will start an ssh agent automatically. But if you only connect through a terminal you will need to change two files:
    • ~/.bash_profile
      if [ "X$SSH_AUTH_SOCK" = "X" ] ; then
         eval `ssh-agent`
      fi
      
    • ~/.bash_logout (to stop the ssh-agent when you log out)
      if [ "$SSH_AGENT_PID" -a "$SHLVL" = "1" ] ; then
         eval `ssh-agent -k`
      fi
      

2.4 Adding your key to your ssh-agent

To add your newly created key to your ssh-agent

$ ssh-add ~/.ssh/id_rsa_remote

You'll be asked for your passphrase once and you won't be asked again until you logged out of the machine.

2.5 Listing the keys currently help by your ssh-agent

$ ssh-add -l
2048 55:bb:c3:8c:e7:b6:a5:56:de:f7:65:07:0b:a2:65:71 ./id_rsa_remote

2.6 Deleting keys from the ssh-agent

Let say that you have an ssh-agent running on your laptop and holding important keys. If you simply close the lid of your laptop, ssh-agent will still hold the keys. If you laptop gets stolen, the thief will have passwordless access to the remote machines. It's good practice to delete the ssh-keys when you are done using them for a while.

The commend ssh-add lets you do two things:

  1. Deleting one key from the ssh-agent
    ssh-add -d ~/.ssh/id_rsa_remote
    
  2. Deleting all the keys from the ssh-agent
    ssh-add -D
    

2.7 Some interesting utilities

2.7.1 Changing the passphrase on a key

$ ssh-keygen -p -f .ssh/id_rsa_atmos

2.7.2 Agent forwarding.

Let's say you have 3 machines A, B and C, such that: A has ssh keys for B and C but B and C don't have ssh keys for each other. Now imagine that you connect from A to B and then you want to connect from B to C. You can do that by forwarding your agent. On Mac OS this is done by modifying the ssh configuration file:

$ sudo vim /etc/ssh_config

and make sure that those lines appear:

Host *
ForwardAgent yes

then restart the ssh server with

sudo launchctl stop com.openssh.sshd
sudo launchctl start com.openssh.sshd 

3 On Windows

Download: PuTTY. There you will find:

  • PuTTYgen: for key generation.
  • Pageant: the ssh-agent.

This is a good reference for Key-based ssh logins with PuTTY: Key-Based SSH Logins With PuTTY.

Author: David Luet

Created: 2015-10-21 Wed 17:01

Emacs 24.5.1 (Org mode 8.2.10)

Validate