From Wiki
Jump to: navigation, search

According to Wikipedia:

Secure Shell (SSH) is a cryptographic network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network: a server and a client (running SSH server and SSH client programs, respectively).

Using Public and Private Keys with SSH (no password)

Here's an example of generating a public/private key pair for private key authentication on a remote server. I'm using 4096 bit key length at the suggestion of one of the tutorial author's sites below (added complexity in breaking it). If you enter a tough password for the key it will be encrypted and that much harder to use for malicious purposes. If you don't use a password however, it can be used for automated tasks. You'll need to carefully weight the costs/benefits of your choice before deploying the key to remote servers.

ubuntu@ubuntu:~$ ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa -C "Chuck Norris tough"

Generating public/private rsa key pair.
Created directory '/home/ubuntu/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/ubuntu/.ssh/id_rsa.
Your public key has been saved in /home/ubuntu/.ssh/
The key fingerprint is:
50:a0:9d:eb:61:bf:c8:6e:7a:76:bb:5a:05:e1:2e:58 Chuck Norris tough
The key's randomart image is:
+--[ RSA 4096]----+
|      ..o        |
|     o + .       |
|    . E o        |
|     o + .       |
|    . = S .      |
|     o + .       |
|      . o        |
|     .+o..       |
|    .*=o+o       |

ubuntu@ubuntu:~$ cat ~/.ssh/ | ssh root@turtle 'mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat - >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys'

The authenticity of host 'turtle (' can't be established.
RSA key fingerprint is b2:5c:0d:27:ed:12:a2:0c:33:51:9a:45:2f:2d:2f:6d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'turtle,' (RSA) to the list of known hosts.
root@turtle's password: 

The next time you connect from the user account where you're keeping the keys (in this case the ubuntu user) to the remote account where you deployed the keys, you should not be prompted for that user's password. Instead, you'll be prompted for the private key's password if you chose one, or let in without a password prompt at all if you chose an empty private key password. For the purposes of this entry, I did not choose a password (I'll use this approach for automated tasks).

Note: If you are setting up a remote CentOS 6 box (maybe earlier, maybe later, I've not tested), you'll also need to restore the correct SELinux contexts:

ubuntu@ubuntu:~$ restorecon -Rv ~/.ssh

Then SSH Public key auth will function properly.

ubuntu@ubuntu:~$ ssh root@turtle

Linux turtle 2.6.32-43-generic #97-Ubuntu SMP Wed Sep 5 16:43:09 UTC 2012 i686 GNU/Linux
Ubuntu 10.04.4 LTS

Welcome to Ubuntu!
 * Documentation:

0 packages can be updated.
0 updates are security updates.

New release 'precise' available.
Run 'do-release-upgrade' to upgrade to it.

Last login: Fri Sep 21 20:51:29 2012 from ubuntu.local

Using Public and Private Keys with SSH (with a password)

See the earlier section for the basics.

Assigning a password to a key without one

If you've already generated a private key without a password, no worried, you can assign a password to an existing key like so:

ssh-keygen -p -f $keyfile

which will usually be something like:

ssh-keygen -p -f ~/.ssh/id_rsa

Now your key has a password.

Logging into remote servers without (additional) password prompts

Well, now that the private key has a password, how do you login without having to type it for every server?

ubuntu@pickles:~/.ssh$ ssh-add Enter passphrase for /home/ubuntu.ssh/id_rsa: Identity added: /home/ubuntu.ssh/id_rsa (/home/ubuntu.ssh/id_rsa) ubuntu@pickles:~/.ssh$ ssh-add -l

4096 50:a0:9d:eb:61:bf:c8:6e:7a:76:bb:5a:05:e1:2e:58 /home/ubuntu.ssh/id_rsa (RSA)

Now you can connect to remote servers during that bash session without being prompted further for the password. Once you're done, exit that shell and the key's password will be forgotten. If you're paranoid (can't blame you), verify that @ssh-agent@ is no longer running. If it is, kill it.

Setting up a secure tunnel via SSH

How to view the fingerprint of the ssh host key

KDE - Dolphin - SFTP connections (RSA) when existing key is present (ECSDA)

The problem shows itself with this error message:

The host key for this server was not found, but another type of key exists. An attacker might change the default server key to confuse your client into thinking the key does not exist. Please contact your system administrator.

The workaround is to remove the existing host keys (one for the hostname, one for the IP Address) and then connect again.


$ ssh-keygen -R
$ ssh-keygen -R