Secure Shell (SSH) provides a secure channel to a remote server for command execution, file copy, tunnelling, etc., and is essential for administering those remote servers. SSH uses public key cryptography to encrypt communication via a public and private key. The private key must be kept secret by the sender and is used to encrypt data. The public key is exchanged with the data’s recipient and is used to decrypt the data. The private key is practically impossible to derive from the public key. Here’s some basics for OpenSSH v2 and above.
Generate the Public & Private Keys
This this the first thing to do. There are two flavours available, RSA & DSA, with much debate about which is best. For my money we’ll go with the default of RSA as it allows a larger key size than DSA which must be 1024 bits exactly.
On unix-like client & server:
ssh-keygen -t rsa
If you go with the defaults this will result in your public & private keys created in:
On Windows with PuTTYgen, run, generate some randomness and save public & private keys somewhere, e,g,
SSH without password
A SSH server will allow a secure connection without password if it has a copy of the client’s public key which it can use for authentication. The public keys are stored in a file called authorized_keys.
On unix-like server, make authorized_keys if it does not exist:
Make the file writeable by owner only. This is important as the SSH daemon will refuse to accept the authentication attempt if the permissions are incorrect:
chmod 600 ~/.ssh/authorized_keys
Now copy public key from client to server:
On unix-like client:
scp ~/.ssh/id_rsa.pub user@serverbox:~/myclientkey
On Windows, use PuTTY or WinSCP.
Next append the public key to the server’s authorized_keys:
ssh user@serverbox "cat ~/myclientkey >> ~/.ssh/authorized_keys"
All going well, the server will allow SSH without password.
user@client:~$ ssh user@serverbox
Last login: Tue Feb 19 17:56:52 2013 from 10.0.8.13 user@serverbox:~$
Job’s a good ‘un.
Now, you can do that if you want but some bright spark has created a script to do all this stuff for you:
This isn’t available out of the box on OSX so can be installed with MacPorts or Homebrew.
Here’s the man page:
NAME ssh-copy-id - install your public key in a remote machine's authorized_keys SYNOPSIS ssh-copy-id [-i [identity_file]] [user@]machine DESCRIPTION ssh-copy-id is a script that uses ssh to log into a remote machine and append the indicated identity file to that machine's ~/.ssh/authorized_keys file. If the -i option is given then the identity file (defaults to ~/.ssh/id_rsa.pub) is used, regardless of whether there are any keys in your ssh-agent. Otherwise, if this: ssh-add -L provides any output, it uses that in preference to the identity file. If the -i option is used, or the ssh-add produced no output, then it uses the contents of the identity file. Once it has one or more fingerprints (by whatever means) it uses ssh to append them to ~/.ssh/authorized_keys on the remote machine (creating the file, and directory, if necessary.) NOTES This program does not modify the permissions of any pre-existing files or directories. Therefore, if the remote sshd has StrictModes set in its configuration, then the user's home, ~/.ssh folder, and ~/.ssh/authorized_keys file may need to have group writability disabled manually, e.g. via chmod go-w ~ ~/.ssh ~/.ssh/authorized_keys on the remote machine. SEE ALSO ssh(1), ssh-agent(1), sshd(8)
Also look at ssh-agent for caching your key’s passphrase in a nice convenient and not over-the-wire kind of a way.