SSH Public key based authentication - Howto
This howto covers generating and using ssh keys for automated:
a) Login
b) Make backups
c) Run commands from shell etc
Task: Generating ssh keys
1) Log on to your workstation ( for example log on to workstation called admin.fbsd.nixcraft.org as vivek user). Please refer the following sample setup - You will be log in, on your local system, AS THE USER you wish to make passwordless ssh connections.
(Click image to enlarge)
2) Create the Cryptographic Key on FreeBSD workstation, enter:
$ ssh-keygen -t rsa
Assign the pass phrase (press [enter] key twice if you don't want a passphrase). It will create 2 files in ~/.ssh directory as follows:
- ~/.ssh/id_rsa : identification (private) key
- ~/.ssh/id_rsa.pub : public key
3) Use scp to copy the id_rsa.pub (public key) to rh9linux.nixcraft.org server as authorized_keys2 file, this is know as Installing the public key to server.
$ scp .ssh/id_rsa.pub vivek@rh9linux.nixcraft.org:.ssh/authorized_keys2
4) From FreeBSD workstation login to server:
$ ssh rh9linux.nixcraft.org
5) Changing the pass-phrase on workstation (if needed):
$ ssh-keygen -p
6) Use of ssh-agent to avoid continues pass-phrase typing
At freebsd workstation type:
$ ssh-agent $BASH $ ssh-add
Type your pass-phrase
From here, whenever connecting to server it won’t ask for password.
Above two commands can be added to ~/.bash_profile so that as soon as I login into workstation I can set the agent.
7) Deleting the keys hold by ssh-agent
a) To delete all keys
$ ssh-add -D
b) To delete specific key
$ ssh-add -d key
c) To list keys
$ ssh-add -l
E-mail this to a Friend
Printable Version
You may also be interested in other helpful articles:
- How to Setup Kerberized authentication of Windows Terminal Service
- Howto use multiple SSH keys for password less login
- OpenSSH PKI support coming soon
- What is the difference between password and passphrase under OpenSSH with DSA / RAS public key authentication?
- Basic difference between the GPL and the public domain
Discussion on This Article:
Leave a Reply
We encourage your comments, and suggestions. But please stay on topic, be polite, and avoid spam. Thank you very much for stopping by our site!
Tags: cryptographic key, FreeBSD, keygen, passphrase, private key, public key, rsa, scp, scp command, ssh connections, ssh keys, ssh-add_command, ssh-keygen_command, workstation login
Hi Vivek Sir,
This is Ashish here. Yes… I caught you..
It very nice to see you once again. Where are you right now?? In india?? Wanted to meet you..
Now we are expecting some good technical documents from you as usual. Just now finished LLST written by you.
If possible please mail me at ashish_r_pathak@yahoo.com
Thanks and Regards,
/Ashish Pathak.
Pune, India.
Hi Vivek,
I am kevin here from mumbai. Thanks for this article on SSH. Also i liked your Shell programming tutorial. If possible can you give me some examples on Local and remote port forwarding techniques on SSH.
Best regards,
Kevin
Hi Vivek
this is Amit Shiknis here from Pune. Where are you now?How are you? i just gone through SSH docs its really very nice article.
Hope you will be fine. if possible mail me on amitshiknis@vsnl.net
regards
Amit
Kevin,
See url
for Local and remote port forwarding techniques on SSH:
Hello,
I installed openSSH client on windows.
Create a public key using the command
ssh-keygen -t rsa
Copied the key to the unix box using the command
scp .ssh/id_rsa.pub user@hostname:.ssh/authorized_keys
changed the permissions on authorized_keys
chmod 600
The USERNAME on the windows and unix box are the same.
When I try to run the remote script using ssh
ssh user@hostname scriptname
It Prompts me for the PASSWORD. I am not sure what am I doing wrong here. Any help on this is much appreciated.
Thanks
GV
I am including the client side trace when I used ssh below.
C:\Documents and Settings\gvarada\.ssh>ssh -v stlap08d whoami
OpenSSH_3.8.1p1, OpenSSL 0.9.7d 17 Mar 2004
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to stlap08d [172.19.1.24] port 22.
debug1: Connection established.
debug1: identity file /home/gvarada/.ssh/identity type -1
debug1: identity file /home/gvarada/.ssh/id_rsa type 1
debug1: identity file /home/gvarada/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.1
debug1: match: OpenSSH_4.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.8.1p1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024
Your method of not giving a pass phrase is convenient but not really secure (IMHO). Much better to create a key with a pass phrase, and use
ssh-addto enter the pass phrase ONCE PER SESSION. That is, before you ssh to the remote machine, runssh-addwhich will prompt you for the passphrase. For the rest of the session, ssh-add will authenticate for future ssh connections, which are in effect ‘password-less’to the moderator: I withdraw my previous comment, the post does include ssh-add, but I had not read it thoroughly
Nice tip. Thanks.
Now I did the same for an OpenSSH server which listen on port 22000. Actually, there’s a firewall listening no that port, which redirects the incoming traffic to a LAN’s OpenSSH server.
I’ve copied the key to the /home/user/.ssh/authorizedkeys but the client doesn’t connect without prompting for the password…
Hi, I am new to SSH. Can you tell me how can I automate connecting to remote unix boxes using SSH through a shell script and the SSH connections should take the password at runtime possibly using a config file
something like
cat server_repo.txt:
abc_server abc/def
where abc_server - unix box
abc - username
def - password
Note - I dont want to use “Passwordless Connectivity”
Thanks,
Arul.
Hi,
Why is it mandatory to have the same username on both source and target servers?
Is there any workaround to this limitation?
Thnx.
No it is not required. You can use user name tom on client and username jerry on server.
hi vivek,
i think this method will not work for different users
ie what i want to say is user1 can not login to user2 account with out password in to server can u conform it and revert back again?
thanks in advance
surendra
Hi Vivek,
In your step 3 as below. It will prompt for the password of user vivek on rh9linux.nixcraft.org to complete the copying of the public key.
$ scp .ssh/id_rsa.pub vivek@rh9linux.nixcraft.org:.ssh/authorized_keys2
Is there any method by which I can pass this value non-interactively.
Thanks
Shankar
Regarding using scp to copy is_rsa.pub into authorized_keys2, I don’t believe this to be a good idea if there is any chance that you need more than one user or public key to have access to the server.
In this case, rather do the following:
ssh vivek@rh9linux.nixcraft.org “cat >> .ssh/authorized_keys2″ < .ssh/id_rsa.pub
This will pipe the public key through the ssh session and append it to the existing file if it exists. Otherwise it will create the file with the contents of your id_rsa.pub