Secure Shell (SSH) provides a secure channel to a remote server for command execution, file copy, tunnelling, etc., and is essential for administering those remote servers. SSH uses public key cryptography to encrypt communication via a public and private key. The private key must be kept secret by the sender and is used to encrypt data. The public key is exchanged with the data’s recipient and is used to decrypt the data. The private key is practically impossible to derive from the public key. Here’s some basics for OpenSSH v2 and above.
Generate the Public & Private Keys
This this the first thing to do. There are two flavours available, RSA & DSA, with much debate about which is best. For my money we’ll go with the default of RSA as it allows a larger key size than DSA which must be 1024 bits exactly.
On unix-like client & server:
ssh-keygen -t rsa
If you go with the defaults this will result in your public & private keys created in:
~/.ssh/id_rsa.pub ~/.ssh/id_rsa
On Windows with PuTTYgen, run, generate some randomness and save public & private keys somewhere, e,g,
%USERPROFILE%\.ssh\id_rsa.pub %USERPROFILE%\.ssh\id_rsa
SSH without password
A SSH server will allow a secure connection without password if it has a copy of the client’s public key which it can use for authentication. The public keys are stored in a file called authorized_keys.
On unix-like server, make authorized_keys if it does not exist:
touch ~/.ssh/authorized_keys
Make the file writeable by owner only. This is important as the SSH daemon will refuse to accept the authentication attempt if the permissions are incorrect:
chmod 600 ~/.ssh/authorized_keys
Now copy public key from client to server:
On unix-like client:
scp ~/.ssh/id_rsa.pub user@serverbox:~/myclientkey
On Windows, use PuTTY or WinSCP.
Next append the public key to the server’s authorized_keys:
ssh user@serverbox "cat ~/myclientkey >> ~/.ssh/authorized_keys"
All going well, the server will allow SSH without password.
user@client:~$ ssh user@serverbox
Last login: Tue Feb 19 17:56:52 2013 from 10.0.8.13 user@serverbox:~$
Job’s a good ‘un.
Now, you can do that if you want but some bright spark has created a script to do all this stuff for you:
ssh-copy-id user@serverbox
This isn’t available out of the box on OSX so can be installed with MacPorts or Homebrew.
Here’s the man page:
NAME
ssh-copy-id - install your public key in a remote machine's authorized_keys
SYNOPSIS
ssh-copy-id [-i [identity_file]] [user@]machine
DESCRIPTION
ssh-copy-id is a script that uses ssh to log into a remote machine and append the indicated identity file to that
machine's ~/.ssh/authorized_keys file.
If the -i option is given then the identity file (defaults to ~/.ssh/id_rsa.pub) is used, regardless of whether there are
any keys in your ssh-agent. Otherwise, if this:
ssh-add -L
provides any output, it uses that in preference to the identity file.
If the -i option is used, or the ssh-add produced no output, then it uses the contents of the identity file. Once it has
one or more fingerprints (by whatever means) it uses ssh to append them to ~/.ssh/authorized_keys on the remote machine
(creating the file, and directory, if necessary.)
NOTES
This program does not modify the permissions of any pre-existing files or directories. Therefore, if the remote sshd has
StrictModes set in its configuration, then the user's home, ~/.ssh folder, and ~/.ssh/authorized_keys file may need to
have group writability disabled manually, e.g. via
chmod go-w ~ ~/.ssh ~/.ssh/authorized_keys
on the remote machine.
SEE ALSO
ssh(1), ssh-agent(1), sshd(8)
Even easier!
Also look at ssh-agent for caching your key’s passphrase in a nice convenient and not over-the-wire kind of a way.