This is a continuation of the previous guide - SSH Secure Shell that explains the basics of SSH. Please read the guide if you haven't already, before continuing further.
What is an SSH key ?
SSH keys serve as a means of identifying yourself to an SSH server using public-key cryptography and challenge-response authentication.
An SSH key comprises of two separate keys -
- A public key - which you can share freely with any SSH server, and
- A private key - which should be known only to you, and kept secret.
Advantages of using SSH keys
The following are some of the advantages of using SSH keys over traditional password authentication.
- Your password is never sent over the network.
- Eliminates the risk posed by brute-force password attacks.
- More convenience - You can connect to a server, or multiple servers, without having to remember or enter your password for each system.
How to generate an SSH key
To generate an SSH key pair in Linux, you use the
ssh-keygen generates, manages and converts authentication keys for ssh.
$ ssh-keygen -t <type>
-toption specifies the type of encryption to use while creating the key pair. The possible values are "rsa1" for protocol version 1, and "dsa", "ecdsa", or "rsa" for protocol version 2.
DSA - 1024 bit algorithm
RSA - 2048-4096 bit algorithm
ECDSA - stands for Elliptic Curve Digital Signature Algorithm that provides smaller key sizes and faster operations when compared to other algorithms.
For example, to create an SSH key that uses DSA, do the following -
$ ssh-keygen -t dsa
The program will ask you to (optionally) enter a password phrase. You can just press the ENTER key if you do not want to set the password phrase. However, if you decide otherwise, your private key will be encrypted using the string you entered as your password phrase.
Next the tool will generate two keys - id_dsa and id_dsa.pub which will be saved beneath your HOME directory at the location
id_dsa is the private key, and
id_dsa.pub is the public key.
There are lots of other options for the
ssh-keygen tool. For the full list of options, see its man page.
If you have set a password phrase, it must be entered every time you attempt to connect to an SSH server using public-key authentication.
You can use an SSH Agent to remember your password phrase.
An SSH Agent is a program used to hold private keys used for public key authentication (RSA, DSA, ECDSA).
ssh-agenttool is the default SSH Agent in OpenSSH.
Using an SSH Agent to remember the password phrase is a 2 step process.
Step 1 : Start running SSH Agent in the background.
The idea is that ssh-agent is started in the beginning of an X-session or a login session, and all other windows or programs are started as clients to the ssh-agent program.
For now, lets start ssh-agent explicitly from the command line.
Step 2 : Add your private key to its cache.
This is done using another tool called
$ ssh-add ~/.ssh/id_dsa Enter passphrase for /home/ravi/.ssh/id_dsa: Identity added: /home/ravi/.ssh/id_dsa (/home/ravi/.ssh/id_dsa)
ssh-add prompts you to enter the passphrase for your private key. Once you enter the correct passphrase, it adds the key to the cache of the SSH Agent running in the background.
From now on, you won't have to enter the passphrase for your private SSH key when you decide to login to a remote computer.
An SSH Key Example
How to use SSH without a password
Each time you use
sshor any related tools such as
scp, you are prompted for a password to the remote machine.
If you use SSH often enough, typing the password can be tedious. However, if you are using SSH keys, you can do away with entering or remembering the passwords.
Here is one way of doing it.
Step 1: Create a private-public SSH key pair
$ ssh-keygen -t dsa
and following is output of the command on my machine -
Generating public/private dsa key pair. Enter file in which to save the key (/home/ravi/.ssh/id_dsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/ravi/.ssh/id_dsa. Your public key has been saved in /home/ravi/.ssh/id_dsa.pub. The key fingerprint is: 2c:fc:84:60:87:2b:98:ab:f1:c0:ee:9c:55:b6:b2:b7 ravi@ubuntu-desktop The key's randomart image is: +--[ DSA 1024]----+ | | | . | | + . | | o . = o | |o . .++ S | |.. .o .+ | |+. + . . | |++o o. | |o=...E. | +-----------------+
What it does
ssh-keygenwill prompt you to enter a passphrase which should be left blank.
Next, it will generate two files named - id_dsa and id_dsa.pub.
The files will be saved (by default) in the
.sshdirectory in your home folder.
$ ls ~/.ssh id_dsa id_dsa.pub known_hosts
Step 2: Copy the SSH public key to the remote machine
Copy the 'id_dsa.pub' file to the .ssh/ directory in your remote machine.
Remote machine hostname - xyz.com
Remote machine username - ravi
$ scp ~/.ssh/id_dsa.pub firstname.lastname@example.org:~/.ssh/.
Step 3: Authorize the SSH server to use the public keys
SSH to your remote machine and copy the contents of the 'id_dsa.pub' file to 'authorized_keys' file in the same folder.
If there is no such file in your remote machine, you will have to create it.
$ ssh email@example.com ... firstname.lastname@example.org [~]$ cd .ssh email@example.com [~/.ssh]$ cat id_dsa.pub >> authorized_keys
From here on, you won't need any passwords to login to the remote machine xyz.com from your local machine.
References for further reading
SSH Keys @ wiki.archlinux.org
OpenSSH key management @ IBM Developerworks - Part 1, Part 2, and Part 3.