I'm heavily relying on some remote machines to get some jobs done so SSH is a tool I used daily. The downside of being sit in front of a terminal opening and closing many SSH connections is that you have to type in your password over and over again.
I started looking at SSH documentation hoping to find a way to ease this pain without trading off SSH inherent security. I'm using version 2.0 of the SSH protocol and the solution is authenticating using a key.
The first step is creating RSA private/public keys with a tool which comes with SSH:
$ ssh-keygen -t rsa
ssh-keygen will then produce the following files in the ~/.ssh directory: id_rsa and id_rsa.pub. The complete output of ssh-keygen is the following:
enrico@solaris:~$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/enrico/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/enrico/prova.
Your public key has been saved in /home/enrico/prova.pub.
The key fingerprint is:
23:63:25:1d:2a:0a:34:c8:47:d9:65:80:43:f6:c9:e8 enrico@solaris
Obviously, a good advice would be using a passphrase: please note that in this case SSH will be asking for user input and instead of your password you'll be typing your passphrase. In my case, I decided to use an empty passphrase and keep keys' files safe.
Once you have your keys generated, you have to copy the public key on every server you want to log on to. The content of id_rsa.pub is a line which must be appended to the .ssh/authorized_keys2 file. If this file does not exist, just create it copying id_rsa.pub in .ssh/authorized_keys2. Even if you use a passphrase, care should be taken to protect files in the .ssh directory. At most, this directory and its content should have 0600 permission level.
Now you have setup your environment and the sshd daemon on the server you log in will encrypt communications (2.0 protocol version) using the public key you provided and next time you'll log in via SSH to that server, you won't be asked your password any longer!
That's a real nice blog. I would like to add that even after doing all the mentioned steps, it may not work as expected. This is caused by the incorrect permissions on the user's home directory on the destination server. The permissions should be 755
ReplyDelete