SSH With Public-key encryption

From docwiki
Jump to: navigation, search


Motivation

Typing your passwords all the time is tedious. Also there is the risk that an intruder on the remote site reads your passwords. Finally we also want to automate jobs to run without password. SSH offers public-key based login and this is a really useful thing.


How to use Public-Key login with your ssh connection

First you need a pair of public and private keys. You can generate this with:

ssh-keygen

This creates 2 new files in the .ssh/ directory within your home directory. Usually .ssh/id_rsa and .ssh/id_rsa.pub

It also asks you for a passphrase. Your keyfile is only useful with this passphrase. So choose a good and long phrase.

If you want a pair of keys for special purposes in different files you can use:

ssh-keygen -f somefile

This creates somefile and somefile.pub, which hold the private and public key. Technically it is allowed to have your passphrase empty. But only do this if you know what you are doing. We will learn about that later.


Second you need to install that key on the remote side. On the remote side you need a file .ssh/authorized_keys that contains the public key parts of keys that are allowed to login. Each one it its own line. That would look like this:

ssh-rsa AAAAB..
ssh-rsa AAAAC53....

You can manually copy it there (e.g. by first login in with your password) or your provider could ask you to send you your public key and he/she installs it there for you. Or you can use the ssh-copy-id script:

ssh-copy-id

This will first ask you for your password and then install the default key, or any other key that you specify after the -i option.

After the public key is installed in the .ssh/autorized_keys you can login without password. The downside is: You still need your passphrase for the key. When you have a lot of different servers where you need to login often then it is tedious to always have to type the passphrase. So there is a tool to cache your passphrase. This is the so called: ssh-agent


ssh-agent

If you login into the graphical environment of your desktop then usually the ssh-agent is already running and when you try to open a ssh connection where a key is needed then the agent pops up a window where you enter your passphrase.

If you have to do it manually you can run: ssh-agent bash where you start a new shell under the agent.

If you want to add a key right away you can use: ssh-add

Once you are using the agent then you can securely login without using your passphrase.

SSH Login with kerberos

In many organizations with a lot of users and machines there is a central password verification system called kerberos. If you have kerberos you can use password less with kerberos, if the Linux server was configured to allow kerberos based login.

$ kinit
$ ssh -k anna@somemachine
$ ssh -K anna@othermachine

The kinit loggs you into kerberos. With the ticket that you got (you can see it with klist) you can login with the -k option of ssh. If you use the capital K then your kerberos ticket will also be transfered to the remote machine - you need to trust that machine.


Exercises

  • Generate a key pair and install it on an account where you have a login and try to install the it via ssh-copy-id. See what is in your .ssh/authorized keys file on the remote machine.
  • Check if the ssh agent is working and also try to manually start a shell under ssh-agent.
  • also try this with a different identity (= a different key pair) then the default.