Howto login fast and securely with SSH keys
This guide will generate an identity key pair. The key pair consists of a private and public key. They should be treated as such respectively.
Keep in mind
- Who has access to the system? If someone else has physical access to the machine it’s the same as they can read the contents of your drive. Make sure you use a well-encrypted filesystem or a very good passphrase.
- The passphrase. If you’re setting a passphrase it shouldn’t be the same as your login password. When you feel the passphrase should be updated, just generate a new key-pair and distribute it. Make sure the revoked pair is taken out of circulation.
- Never ever copy your private key anywhere. This is a unique identification and if you’re setting up another machine you should generate a new key-pair. Portable keys can be put on USB sticks (protected by a good passphrase).
Generating an identity key-pair
Bring up your terminal and run the command ssh-keygen. You will be asked to input a filename, where I recommend you don’t enter anything, assuming this is your first time. A default value will then be used as you can see below:
Generating public/private rsa key pair.
Your identification has been saved in /home/mmn/.ssh/id_rsa.
Your public key has been saved in /home/mmn/.ssh/id_rsa.pub.
The above is the result of a successful key-pair generation for the user mmn. The “identification” file is your private key, which is a secret of utmost importance. When asked for it you should enter a passphrase if deemed necessary for security, which will encrypt the private key. However that may make non-interactive scripts require input so consider that if you have a specific automation scenario in mind.
Distributing the public key
To be able to identify yourself using the private key the remote computer requires a copy of the public key. This makes it possible to interchange secrets and establish a secure, non-eavesdropped communication channel.
The public key file contains a single line which must be put in the list of authorized keys at the remote server. If you have to supply the public key to an administrator, you can simply e-mail the id_rsa.pub file or copy-paste its contents. If you already can login with a password on the remote machine it’s easiest use ssh-copy-id:
What ssh-copy-id does is append your public key signature to the file ~/.ssh/authorized_keys for your remote account. This can also be done manually as it’s all just text-files.
Configuring several identities
If you want to generate and select between several private keys, just enter a different filename for each when running ssh-keygen. When connecting to various computers you must supply the key to ssh which is done with the -i switch. Here are a couple of examples:
Login with your own username on server host using default private key
ssh -i ~/.ssh/testkey mikael@host2
Login as user ‘mikael’ on server ‘host2’ using alternative private key testkey.
ssh -t -i ~/.ssh/testkey mikael@host2 'screen -Dr irc || screen -S irc irssi'
Login as user mikael on server host2 using testkey. Use pseudo tty-allocation (-t) and take control over screen OR start irssi in a new screen.
To make the various commands more easily accessible and much quicker to use you can configure ssh or setup aliases in your shell. Look below for an example you can use to start configuring ssh. The default filepath is ~/.ssh/config.
Sample ssh config file
# Global section IdentitiesOnly yes Compression yes # uses default identity file Host host HostName host.machines.com User mmn Port 443 # uses specific testkey identity Host host2 IdentityFile ~/.ssh/testkey User mikael HostName host2.machines.com