According to Wikipedia:
Secure Shell (SSH) is a cryptographic network protocol for secure data communication, remote shell services or command execution and other secure network services between two networked computers that it connects via a secure channel over an insecure network: a server and a client (running SSH server and SSH client programs, respectively).
- 1 Using Public and Private Keys with SSH (no password)
- 2 Using Public and Private Keys with SSH (with a password)
- 3 Setting up a secure tunnel via SSH
- 4 How to view the fingerprint of the ssh host key
- 5 KDE - Dolphin - SFTP connections (RSA) when existing key is present (ECSDA)
- 6 References
Using Public and Private Keys with SSH (no password)
Here's an example of generating a public/private key pair for private key authentication on a remote server. I'm using 4096 bit key length at the suggestion of one of the tutorial author's sites below (added complexity in breaking it). If you enter a tough password for the key it will be encrypted and that much harder to use for malicious purposes. If you don't use a password however, it can be used for automated tasks. You'll need to carefully weight the costs/benefits of your choice before deploying the key to remote servers.
ubuntu@ubuntu:~$ ssh-keygen -t rsa -b 4096 -f ~/.ssh/id_rsa -C "Chuck Norris tough"
Generating public/private rsa key pair. Created directory '/home/ubuntu/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/ubuntu/.ssh/id_rsa. Your public key has been saved in /home/ubuntu/.ssh/id_rsa.pub. The key fingerprint is: 50:a0:9d:eb:61:bf:c8:6e:7a:76:bb:5a:05:e1:2e:58 Chuck Norris tough The key's randomart image is: +--[ RSA 4096]----+ | ..o | | o + . | | . E o | | o + . | | . = S . | | o + . | | . o | | .+o.. | | .*=o+o | +-----------------+
ubuntu@ubuntu:~$ cat ~/.ssh/id_rsa.pub | ssh root@turtle 'mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat - >> ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys'
The authenticity of host 'turtle (192.168.0.32)' can't be established. RSA key fingerprint is b2:5c:0d:27:ed:12:a2:0c:33:51:9a:45:2f:2d:2f:6d. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'turtle,192.168.0.32' (RSA) to the list of known hosts. root@turtle's password:
The next time you connect from the user account where you're keeping the keys (in this case the ubuntu user) to the remote account where you deployed the keys, you should not be prompted for that user's password. Instead, you'll be prompted for the private key's password if you chose one, or let in without a password prompt at all if you chose an empty private key password. For the purposes of this entry, I did not choose a password (I'll use this approach for automated tasks).
Note: If you are setting up a remote CentOS 6 box (maybe earlier, maybe later, I've not tested), you'll also need to restore the correct SELinux contexts:
ubuntu@ubuntu:~$ restorecon -Rv ~/.ssh
Then SSH Public key auth will function properly.
ubuntu@ubuntu:~$ ssh root@turtle
Linux turtle 2.6.32-43-generic #97-Ubuntu SMP Wed Sep 5 16:43:09 UTC 2012 i686 GNU/Linux Ubuntu 10.04.4 LTS Welcome to Ubuntu! * Documentation: https://help.ubuntu.com/ 0 packages can be updated. 0 updates are security updates. New release 'precise' available. Run 'do-release-upgrade' to upgrade to it. Last login: Fri Sep 21 20:51:29 2012 from ubuntu.local
Using Public and Private Keys with SSH (with a password)
See the earlier section for the basics.
Assigning a password to a key without one
If you've already generated a private key without a password, no worried, you can assign a password to an existing key like so:
ssh-keygen -p -f $keyfile
which will usually be something like:
ssh-keygen -p -f ~/.ssh/id_rsa
Now your key has a password.
Logging into remote servers without (additional) password prompts
Well, now that the private key has a password, how do you login without having to type it for every server?
ubuntu@pickles:~/.ssh$ ssh-add Enter passphrase for /home/ubuntu.ssh/id_rsa: Identity added: /home/ubuntu.ssh/id_rsa (/home/ubuntu.ssh/id_rsa) ubuntu@pickles:~/.ssh$ ssh-add -l
4096 50:a0:9d:eb:61:bf:c8:6e:7a:76:bb:5a:05:e1:2e:58 /home/ubuntu.ssh/id_rsa (RSA)
Now you can connect to remote servers during that bash session without being prompted further for the password. Once you're done, exit that shell and the key's password will be forgotten. If you're paranoid (can't blame you), verify that @ssh-agent@ is no longer running. If it is, kill it.
Setting up a secure tunnel via SSH
How to view the fingerprint of the ssh host key
KDE - Dolphin - SFTP connections (RSA) when existing key is present (ECSDA)
The problem shows itself with this error message:
The host key for this server was not found, but another type of key exists. An attacker might change the default server key to confuse your client into thinking the key does not exist. Please contact your system administrator.
The workaround is to remove the existing host keys (one for the hostname, one for the IP Address) and then connect again.
$ ssh-keygen -R host.example.com $ ssh-keygen -R 22.214.171.124
- Using SSH keys on your server
- Ubuntu Documentation - SSH/OpenSSH/Keys
- SSH Without a Password
- ssh - authorized_keys HOWTO
- Looks very comprehensive
- covered the use of
restoreconto enable password-less logins using SSH Public/Private key pair (CentOS 6)
- covered the use of