When
you're an admin on
more than a few machines, being able to navigate quickly to a shell
on any given server is critical. Having to type "ssh
my.server.com" (followed by a password) is not only
tedious, but it breaks one's concentration. Suddenly
having to shift from "where's the
problem?" to "getting
there" and back to
"what's all this,
then?" has led more than one admin to premature
senility. It promotes the digital equivalent of "why
did I come into this room, anyway?" (In addition,
the problem is only made worse by /usr/games/fortune!)
At any rate, more effort spent logging into a machine means less
effort spent solving problems. Recent versions of
ssh offer a secure alternative to endlessly
entering a password: public key exchange.
To use public keys with an
ssh server, you'll first need
to generate a public/private key pair:
$ ssh-keygen -t rsa
You can also use -t dsa for DSA keys, or
-t rsa1 if you're using
Protocol v1. (And shame on you if you are! Upgrade to v2 as soon as
you can!)
After you enter the above command, you should see something like
this:
Generating public/private rsa key pair.
Enter file in which to save the key (/home/rob/.ssh/id_rsa):
Just hit Enter there. It will then ask you for a pass phrase; just
hit enter twice (but read the Security note below).
Here's what the results should look like:
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/rob/.ssh/id_rsa.
Your public key has been saved in /home/rob/.ssh/id_rsa.pub.
The key fingerprint is:
a6:5c:c3:eb:18:94:0b:06:a1:a6:29:58:fa:80:0a:bc rob@localhost
This created two files, ~/.ssh/id_rsa and
~/.ssh/id_rsa.pub. To use this keypair on a
server, try this:
$ ssh server "mkdir .ssh; chmod 0700 .ssh"
$ scp .ssh/id_rsa.pub server:.ssh/authorized_keys2
Of course, substitute your server name for server.
It should ask for your password both times. Now, simply ssh
server and it should log you in automagically without a
password. And yes, it will use your shiny new public key for
scp, too.
If that didn't work for you, check your file
permissions on both ~/.ssh/* and
server:~/.ssh/*. Your private key
(id_rsa) should be 0600 (and only be present on
your local machine), and everything else should be 0655 or better.
Terrific. So you can now ssh server quickly and
with a minimum of fuss. Is it possible to make it even quicker to
connect to machines you frequently touch? You bet, just check out
"`Turbo-mode' ssh
Logins" (#67).
Security Concerns
Some consider the use of
public keys a potential security risk. After all, one only has to
steal a copy of your private key to obtain access to your servers.
While this is true, the same is certainly true of passwords.
Ask yourself, how many times a day do you enter a password to gain
shell access to a machine (or scp a file)? How
frequently is it the same password on many (or all) of those
machines? Have you ever used that password in a way that might be
questionable (on a web site, on a personal machine that
isn't quite up to date, or possibly with an
ssh client on a machine that you
don't directly control). If any of these
possibilities sound familiar, then consider that an
ssh key in the same setting would make it
virtually impossible for an attacker to later gain unauthorized
access (providing, of course, that you keep your private key safe).
root@er1smc1>ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (//.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in //.ssh/id_rsa.
Your public key has been saved in //.ssh/id_rsa.pub.
The key fingerprint is:
1a:c9:6f:a5:4e:72:80:05:d7:05:3c:bb:6a:20:0a:5b root@er1smc1
root@er1smc1>pwd
/.ssh
root@er1smc1>ls -lrt
total 8
-rw-r--r-- 1 root root 1331 Jan 20 11:51 known_hosts
-rw------- 1 root root 883 Jan 20 14:50 id_rsa
-rw-r--r-- 1 root root 222 Jan 20 14:50 id_rsa.pub
root@er1smc1>sftp one@192.168.2.92
Connecting to 192.168.2.92...
Password:
sftp> cd .ssh
sftp> ls
.
..
known_hosts
sftp> put id_rsa.pub
Uploading id_rsa.pub to /home/one/.ssh/id_rsa.pub
sftp> bye
root@er1smc1>ssh one@192.168.2.92
Password:
linux1$ cd .ssh/
linux1$ ls
id_rsa.pub known_hosts
linux1$ ls -lrt
total 8
-rw-r--r-- 1 one one 227 Feb 12 2009 known_hosts
-rw-r--r-- 1 one one 222 Jan 20 16:47 id_rsa.pub
linux1$ mv id_rsa.pub authorized_keys2
linux1$ bye
linux1$ exit
logout
Connection to 192.168.2.92 closed.
root@er1smc1>ssh one@192.168.2.92 !NO password!
linux1$ exit
logout