Using SSH Keys

Below I describe how to generate your public & private keys so you can ssh or scp to somewhere and not have to specify a password.

One problem with this is a privileged (eg, root) user could steal your private key (~/.ssh/id_dsa) and then be able to do ssh/scp commands using your credentials. The solution is to encrypt your private keys with a passphrase, which I'll describe.

But then you're back to having to enter a secret (the passphrase to your local private key instead of the password to your target userid on the remote system). The solution to that is to use ssh-agent & ssh-add, which will "remember" your passphrase so you only need to enter it once per login. I'll describe that process and how you might set that up, but I'll finish with the best way (that I've found) to set this up.


  1. First create your identities with ssh-keygen, which can create the 3 types of identities you might need,
           ~/.ssh/identity for ssh version 1 RSA
           ~/.ssh/id_rsa   for ssh version 2 RSA
       and ~/.ssh/id_dsa   for ssh version 2 DSA (Best and what we're going to use)
    
    When creating these files, you can and should create them with a passphrase which would prevent root from stealing them. Passphrases must be greater than 5 characters. On linux2, I chose to use the full name of my dog.
         ssh-keygen -t dsa
    
    creates ~/.ssh/id_dsa (your encrypted private key) and ~/.ssh/id_dsa.pub (your public key).
  2. For each target you'll want to ssh/scp to, append your public key file to the target's ~/.ssh/authorized_keys file. For me since root didn't have an authorized_keys file, I could get away with
        scp -p .ssh/id_dsa.pub root@linux2:.ssh/authorized_keys
        scp -p .ssh/id_dsa.pub root@linux3:.ssh/authorized_keys
        scp -p .ssh/id_dsa.pub root@linux4:.ssh/authorized_keys
    
    At this point, you can ssh/scp to the target without specifying the target's password. You will have to provide your passphrase though.
         scp .bashrc root@linux2:junk
         Enter passphrase for key '/home/rick/.ssh/id_dsa':
         .bashrc                                       100%  171     0.2KB/s   00:00
    

  3. To not have to specify or passphrase everytime, we'll add your passphrase to the ssh-agent daemon with the ssh-add command. First though, you have to get an ssh-agent running for your use. One of
         ssh-agent xterm &       (if you have X running)
         ssh-agent bash
         ssh-agent $SHELL
    
    will launch an ssh-agent you can use and put you back into your shell. You can now
        ssh-add .ssh/id_dsa
    
    You'll have to tell ssh-add your passphrase, but afterwards, your ssh/scp commands will need neither a password or passphrase.
        for i in 2 3 4;do ssh root@linux$i ls -l .ssh/authorized_keys;done
           -rw-r--r--  1 root root 601 Aug 31 12:33 .ssh/authorized_keys
           -rw-r--r--  1 root root 601 Aug 31 12:28 .ssh/authorized_keys
           -rw-r--r-- 1 root root 601 Aug 31 12:28 .ssh/authorized_keys
    
  4. Each time you login though, you'll have to
        ssh-agent bash
        ssh-add
    
    and type your passphrase once, but after that, ssh/scp commands work with no password. This of course, could/should be added to one's login and the SSH book on pages 218-229 explains two ways of doing this, what they call the single-shell & subshell methods. There are pros and cons to both methods and they give sample code you could put in your ~/.profile, ~/.logout, but the easiest thing is to use keychain.
  5. keychain is a shell script front-end to ssh-agent. With keychain, you simply get and install, then put these lines in your ~/.bash_profile,
        /usr/bin/keychain ~/.ssh/id_dsa > /dev/null 2>&1
        source .keychain/linux2-sh > /dev/null
    
    It assures there's only one copy of ssh-agent running and points your login session to that one session. If keychain had to start the ssh-agent, you'll get prompted for your passphrase, else it'll keep that ssh-agent running even if/when you log off, and it'll point you to it at your next login.

This page was last updated: Thursday, 14-Sep-2006 12:14:20 Pacific Daylight Time