MOK's Onomatomaniske Kaos

How to use ssh authentication keys

06 May 2006

If you have an account on a remote computer that you use very often, it is convienient if you do not have to type your password every time you log on to another host. You can achieve this by using ssh’s authorization keys.

First, you need to generate a key-pair. A key-pair consists of two small files. One file contains your secret key, the other your public key. Your secret key is, as the name implies, secret. You want to make sure noone gets hold of it. The public key is not secret at all, you can post it on your web-page if you wish. To generate the keypair, use the ssh-keygen program:

[somebody@monster ~]$ ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/u/somebody/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /u/somebody/.ssh/id_rsa.
Your public key has been saved in /u/somebody/.ssh/id_rsa.pub.
The key fingerprint is:
5a:0c:9d:c8:2b:aa:4d:1c:db:3e:ca:e2:1e:43:27:3c
somebody@monster.bioxray.dk

Notice, I did not enter a passphrase. The passphrase is an optional password that protects your secret key. It is a password you have to type every time your secret key is used, but your security is only compromised if someone gets hold of your secret key, so you must protect that file using mode 600. Now, the two files have been created in $HOME/.ssh:

[somebody@monster ~]$ ls .ssh
authorized_keys id_rsa id_rsa.pub known_hosts

To achieve login on a remote machine without password, you need to append your public key to the .ssh/authorized_keys file on the remote machine. That is, if you specified a passphrase for your key-pair, you have to type that when you log on, but not the password on the remote machine.

On bioxray, all users have NFS mounted home directories, so we can just do this:

cp .ssh/id_dsa.pub .ssh/authorized_keys

and we can use slogin and ssh between all hosts without specifying a password.

You can also use the ssh authentication key scheme to give access to your account to a friend. Your friend must also generate a key-pair, and must send you the public part of it. You append that public key to your authorized_keys file. Your friend can then log on to your account, as long as the public key is in the file.

If you have an account on a remote computer that you use very often, it is convienient if you do not have to type your password every time you log on to another host. You can achieve this by using ssh’s authorization keys.

Edit 20170123

  • Changed key type from rsa to dsa 4096 bits. For further information look here.
  • Add note about passwordless secret key.

Related Posts