SSH how to 2011

SSH Keys and Configurations

Chris Hales

What is SSH?

Secure Shell aka SSH is a secure encrypted communication protocoldesigned to replace older insecure protocols like telnet, rsh, and ftp.

What is SSH?


SSH authentication can be done with a username and password combination which is the default. Here's the most simplistic usage we might encounter.

$ ssh user@secureserver

After you connect to secureserver you are normally asked for your password to complete the login.

What is SSH?


SSH authentication can be done with a username and password combination which is the default. Here's the most simplistic usage we might encounter.

$ ssh user@secureserver

After you connect to secureserver you are normally asked for your password to complete the login.

When you start doing this over and over again for many systems with various paswords it can become pretty tedious. What if there was a way to simplify the process?

Time for SSH Keys to save the day!

Enter SSH Keys!

SSH can be configured to use key pairs so that you don't have to type your password in every time you need to log into a commonly accessed system. Your public key is placed on all systems you wish to access using your private key.

Enter SSH Keys!

SSH can be configured to use key pairs so that you don't have to type your password in every time you need to log into a commonly accessed system. Your public key is placed on all systems you wish to access using your private key.

There's a lot of technical details surrounding public-key cryptography but for our purposes all you really need to know is that it's a really secure way of proving who you are to a third party system.

Let's begin with creating your key pair if you don't already have one. Mac and Linux setup is basically identical. For Windows you will need Putty and PuTTYgen installed.

http://en.wikipedia.org/wiki/Public-key_cryptography

http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

Key Creation for Windows

For Windows users I'm cheating and sending you to an excellent PuTTYgen how-to which includes key pair creation.

http://theillustratednetwork.mvps.org/Ssh/Private-publicKey.html

http://theillustratednetwork.mvps.org/Ssh/Private-publicKey.html

Key Creation for Mac/Linux

On unix like systems (Ubuntu, OSX, etc.) we'll need to go through a few steps. Fortunately it's likely you already have an SSH directory because if you have ever used SSH one was created for you.

Open up a terminal window and check your home directory for a hidden .ssh directory.

$ cd ~/.ssh


On unix like systems (Ubuntu, OSX, etc.) we'll need to go through a few steps. Fortunately it's likely you already have an SSH directory because if you have ever used SSH one was created for you.

Open up a terminal window and check your home directory for a hidden .ssh directory.

$ cd ~/.ssh

If you receive a "no such file or directory" type of error message you have not used SSH and certainly don't have a key installed on your system.

Next we'll create a set of keys which will create the file structure we need for us automatically.


When you create an SSH key pair you want to enter a strong passphrase when prompted to do so*. While you could skip the passphrase it would allow anyone who can access it the ability to use it. Your key is valuable and it should be protected at all costs.


When you create an SSH key pair you want to enter a strong passphrase when prompted to do so*. While you could skip the passphrase it would allow anyone who can access it the ability to use it. Your key is valuable and it should be protected at all costs.

Let's create a strong 2048 bit RSA key with your email address included.

$ ssh-keygen -t rsa -b 2048 -C"[email protected]"

You will be asked for a few options and you can leave those as their defaults but when asked for a passphrase choose a solid one.

* A common practice when using SSH keys is to omit a passphrase because the default setup requires that you enter your passphrase each time you use your key which is seemingly the same as typing a password at login each time. Further in we'll cover how to work around this so you only need to enter your passphrase once per session.


Once your key is created you should see some new files which were indicated during your key generation.

$ cd ~/.ssh$ ls

~/.ssh/id_rsa

This is your private key file that ssh will read by default when a login attempt is made. You can have multiple keys, i.e. id_otherkey.

~/.ssh/id_rsa.pubThis is your public key file for authentication. The contents of this file should be added to ~/.ssh/authorized_keys on all machines where you wish to login using key authentication. There is no need to keep the contents of this file secret.


To use your shiny new key on a server you need to copy your public key over the the authorized_keys file. It's usually not safe to try to do a simple copy/paste since even a stray return will break a key file and OSX doesn't contain the ssh-copy-id utility so we'll have to do some magic.

$ ssh [email protected] -p 7022 "umask 077; cat >> .ssh/authorized_keys" < ~/.ssh/id_rsa.pub




Now you should be able to authenticate to the server with your key.

$ ssh [email protected] -p 7022

If all is right in the world you will be asked for your key passphrase and not your server password.







Success! :)







Success! :)

Failure :( contact Chris.

SSH Agent

Entering your passphrase on every login defeats the intent of using keys. ssh-agent will take care of the pesky prompts. Under OSX it runs by default so you will even get a popup asking you to save your passphrase to the keychain. Once you save it you will never be asked again on your local system.

SSH Agent

Entering your passphrase on every login defeats the intent of using keys. ssh-agent will take care of the pesky prompts. Under OSX it runs by default so you will even get a popup asking you to save your passphrase to the keychain. Once you save it you will never be asked again on your local system.

For Linux it's little more complex. You will need to add a script to your ~/.profile file or you can execute a couple of short commands. The following will start up the ssh-agent and then allow ssh-add to pickup on the variables and it will hold your key for an entire session. Please note the back ticks around ssh-agent.

$ eval `ssh-agent` $ ssh-addYou will be prompted for your passphrase one time but not againduring the same session.

SSH Config

We've got new keys and we can access some servers with them. We're still doing a lot of typing though. e.g.


Wouldn't it be nice if we could convert that into a short simple easy to remember command like the following?

$ ssh staging

SSH Config

We've got new keys and we can access some servers with them. We're still doing a lot of typing though. e.g.


Wouldn't it be nice if we could convert that into a short simple easy to remember command like the following?

$ ssh staging

We can! Using a user configurable ssh config file you can create aliases for commonly access systems. Just create a config file using your favorite editor and adding it to your .ssh directory.

$ nano -w ~/.ssh/configHost stagingUser <your-username>Hostname 174.143.170.119Port 7022

SSH Config

There are a number of things you can do inside the ssh config file but aliases/bookmarks are probably the most common entries you will run into or need for yourself. Here's the basic entry for our staging example.

Host stagingUser <your-username>Hostname 174.143.170.119Port 7022

This creates an alias to the 174.143.170.119 server with our user and port options. The "Host" line is the alias name we assign. Now calling the following will start an ssh session for ssh [email protected] -p 7022.

$ ssh staging

The End

That's it. You are now an ssh wizard and can work both conveniently and securely. Keep your keys safe but if they are ever lost or you suspect an issue notify an admin quickly.

To be really useful you will want to add your current private key or create a new key for staging. Because of permission issues however you may need a hand setting things up correctly.

SSH how to 2011

Technology