Site Navigation

Home | Linux System Admin | Personal | Work Related | Scripts |

[GENERAL] How to set up SSH keys

SSH is a very powerful and useful tool, especially once configured to use keys for authorisation. If you are responsible for administering more than a few servers over SSH, you can make your life a lot easier by setting up key authorisation. Most servers now are configured by default to allow key authorisation in their SSH configuration, so usually all that is required to get up and running is to generate your key pair and get your public key copied into place on any relevant server that you need to access. The steps below should get you going with SSH keys on Red Hat servers and their derivatives (note: these steps assume your local machine is linux-based too):

• On your local machine, generate an SSH DSA key pair:
  
  ssh-keygen -t dsa
  
  You will be prompted for a passphrase. You should make this as strong as possible - stringing together several alpha-numeric passwords that you know would be good for this. After you have completed this step, you will have a public key (filename id_dsa.pub) and a private (filename id_dsa) key generated in your ~/.ssh/ directory. You could generate an RSA key in this step, but DSA keys are the stronger encyrption method associated with SSH2. You need to keep your private key private, and leave it in your .ssh directry on your local machine. The public key is the one that will be copied to to other servers.
• You should now check the permissions on your local ~/.ssh directory. SSH will not allow you to use your private key if the permissions are not strict enough. The required permissions for the .ssh directory are 700:
  
  chmod 700 ~/.ssh
  
  The required permissions for the id_dsa private key file should be 600:
  
  chmod 600 ~/.ssh/id_dsa
  
  
• Now you need to test your key pair by uploading your public key to a remote machine and appending it to the list of authorised keys for a user you wish to log in as. For our example below, assume the local machine is called local.tjl2.com, the remote machine is called remote.tjl2.com and we have a user called admin on both machines. Get your public key in place with the following steps:
  • First, copy the public key across:
    
    [admin@local ~]$ scp ~/.ssh/id_dsa.pub admin@remote.tjl2.com:~admin
    
    Enter admin's password when prompted.
  • Now, ssh to the remote machine as admin and append the public key to the authorised keys file:
    
    [admin@local ~]$ ssh admin@remote.tjl2.com

admin@remote.tjl2.com's password: <enter your password>

[admin@remote ~]$ cat id_dsa.pub >> ~/.ssh/authorized_keys
    
    You may find that there is no .ssh in the remote user's home directory, and the above command throws an error. If so, just run the following command:
    
    mkdir ~/.ssh; chmod 700 !$
    
    You can then reissue the above cat command.
• If you now log out of the remote machine and attempt another login, you will find that you are prompted for your new passphrase, rather than admin's password. Now we need to turn on the SSH key agent to enable password-less and passphrase-less logins.
• Back on the local machine, we need to run two more commands:
  
  [admin@local ~]$ ssh-add

Enter admin@localhost.tjl2.com's passphrase: <enter your passphrase>

[admin@local ~]$ ssh-agent
  
  You should now have the ssh key agent running. Try logging in to the remote machine again. You should find that you are allowed straight in, without requiring a password.
• If you find that you are still prompted for a passphrase at this stage, you will need to tell SSH to use key forwarding. To do this, just use the -A option with your SSH command:
  
  [admin@local ~]$ ssh -A admin@remote.tjl2.com
  
  If that does solve the problem, then you might want to add an alias to your .bashrc file so that the -A option is used every time you issue an ssh command. Add the following line to ~/.bashrc:
  
  # ssh alias - force key forwarding
alias ssh='ssh -A'

Repeat the copying and catting to ~<username>/.ssh/authorized_keys for each valid user on each relevant server that you administer.

Now that you have keys set up on your local system and all the servers that you administer, you just need to remember to issue the ssh-add and ssh-agent commands when you log in to your local machine. It is the first thing I do each day when I log in to my computer.