SW Designs

Technology and Photography

SSH Keys and Quick Logins

Entering your password when SSHing onto remote machines gets very boring, very quickly. The good news that this is can be avoided by using public key authentication and without compromising security. In fact, this approach can prevent brute force attacks if password based authentication is turned off as well.

  • The first step is to generate a public/private key pair on the client machine. Due to the security problems with SSH-1, we’ll be creating SSH-2 keys.
1
2
3
$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/simon/.ssh/id_dsa):

Hit enter to accept the default file. Next we’re prompted for a passphrase, I suggest you don’t leave it empty unless you have a requirement for completely passwordless access.

1
2
3
4
5
6
7
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/simon/.ssh/id_dsa.
Your public key has been saved in /home/simon/.ssh/id_dsa.pub.
The key fingerprint is:
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx
simon@server
  • Now we add the public key from the client into the authorised keys file on the sever, creating the file if it doesn’t already exist. Multiple keys can be added file if necessary, just append them to the end of it.
1
2
$ cat ~/.ssh/id_dsa.pub | ssh server 'cat >> ~/.ssh/authorized_keys'
simon@server's password:

Update: ssh-copy-id is a better why to do this,

1
$ ssh-copy-id -i .ssh/id_dsa.pub simon@server
  • Verify that the keys work. You should now be prompted for a passphrase instead of a password. If not, check that DSAAuthentication is enabled in /etc/ssh/sshd_config on the server.
1
2
$ ssh server
Enter passphrase for key '/home/simon/.ssh/id_dsa':
  • Okay, so we’re now using public key authentication, good times, but still having to enter a passphrase, bad times. By using ssh-agent, you just need to enter your passphrase once per session. For security reasons I suggest using the -t option to periodically expire passphrases. For example, at work I use ssh-add -t8h at the begining of the day in order to have is expire shortly after I finish work.
1
2
3
$ ssh-agent
Enter passphrase for /home/simon/.ssh/id_dsa:
Identity added: /home/simon/.ssh/id_dsa (/home/simon/.ssh/id_dsa)

Now you can just type ssh server and you will be automagically logged in to the remote machine.

Comments