User Tools

Site Tools


ssh

SSH

Key-based authentication

Creating a key pair

Create RSA key pair (private and public) named “id_foo_rsa” with a comment “foo@example.de” and provide a strong password.

$ ssh-keygen -t rsa -C 'foo@example.com' -f ~/.ssh/id_foo_rsa
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): ******
Enter same passphrase again: ******
Your identification has been saved in /home/dominik/.ssh/id_foo_rsa.
Your public key has been saved in /home/dominik/.ssh/id_foo_rsa.pub.
The key fingerprint is:
c6:ef:d1:0b:85:60:d5:2c:de:12:aa:11:9a:62:59:3e foo@example.com
The key's randomart image is:
+--[ RSA 2048]----+
|          .o     |
|    . .  .o o    |
|   + o .oo +     |
|  + E .o..o..    |
| . . . oS ...    |
|      .. . o     |
|          + .    |
|         . o .   |
|          . .    |
+-----------------+

Show fingerprint of a public key

Option -v prints a visualized version of the fingerprint as ASCII-art.

$ ssh-keygen -lvf ~/.ssh/id_foo_rsa.pub
$ ssh-keygen -lvf ~/.ssh/id_foo_rsa
2048 c6:ef:d1:0b:85:60:d5:2c:de:12:aa:11:9a:62:59:3e /home/dominik/.ssh/id_foo_rsa.pub (RSA)
+--[ RSA 2048]----+
|          .o     |
|    . .  .o o    |
|   + o .oo +     |
|  + E .o..o..    |
| . . . oS ...    |
|      .. . o     |
|          + .    |
|         . o .   |
|          . .    |
+-----------------+

Copy public key to target system

$ ssh-copy-id -i ~/.ssh/id_foo_rsa.pub user@target

Or manually append public key line to ~/.ssh/authorized_keys on target system:

$ echo "ssh-rsa AAAAB3NzaC1yc.......DzjY2oH/ foo@example.com" >>~/.ssh/authorized_keys

Login to the target server using the private key

Use option -i to use the private key file.

$ ssh -i ~/.ssh/id_foo_rsa user@target

Or set a per-host configuration on local system:

~/.ssh/config
Host target
	IdentityFile /home/dominik/.ssh/id_foo_rsa

Keep password in memory using ssh-agent

Run and put ssh-agent in background and manually execute the output of

$ ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-IoJIH15103/agent.15103; export SSH_AUTH_SOCK;
SSH_AGENT_PID=15104; export SSH_AGENT_PID;
echo Agent pid 15104

or evaluate the output using eval:

$ eval `ssh-agent`

Now add the private key to the ssh-agent cache and provide the passphrase once:

$ ssh-add ~/.ssh/id_foo_rsa

Subsequent usage of the key won't require to enter the key-passphrase again, as long as the agent is running and the environment variables are correctly set.

:!: ssh-agent is a background task and won't exit by itself. Use ssh-agent -k to kill the agent or killall ssh-agent to terminate all.

Using ssh-agent with keychain

Installation debian:

# apt-get install keychain

Installation gentoo:

# emerge -va keychain

Execute keychain on login (e.g. via ~/.bash_profile) and re-use existing ssh-agent with desired private keys:

~/.bash_profile
eval $(keychain --eval --agents ssh --quick --quiet \
	id_foo_rsa id_bar_rsa)

# or this approach:
#keychain id_foo_rsa id_bar_rsa
#. ~/.keychain/$HOSTNAME-sh

keychain asks for the key-passphrase once and then re-uses the started ssh-agent and the passphrase hasn't to be entered as long as the system is up or the agent is stopped.

ssh.txt · Last modified: 2013-02-16 11:16 CET by dominik