Using SSH Keys

One problem with this is a privileged (eg, root) user could steal your private key (~/.ssh/id_dsa) and then be able to do ssh/scp commands using your credentials. The solution is to encrypt your private keys with a passphrase, which I'll describe.

But then you're back to having to enter a secret (the passphrase to your local private key instead of the password to your target userid on the remote system). The solution to that is to use ssh-agent & ssh-add, which will "remember" your passphrase so you only need to enter it once per login. I'll describe that process and how you might set that up, but I'll finish with the best way (that I've found) to set this up.

1. First create your identities with ssh-keygen, which can create the 3 types of identities you might need,

          ~/.ssh/identity for ssh version 1 RSA
          ~/.ssh/id_rsa   for ssh version 2 RSA
      and ~/.ssh/id_dsa   for ssh version 2 DSA (Best and what we're going to use)
   

   When creating these files, you can and should create them with a passphrase which would prevent root from stealing them. Passphrases must be greater than 5 characters. On linux2, I chose to use the full name of my dog.

        ssh-keygen -t dsa
   

   creates ~/.ssh/id_dsa (your encrypted private key) and ~/.ssh/id_dsa.pub (your public key).
2. For each target you'll want to ssh/scp to, append your public key file to the target's ~/.ssh/authorized_keys file. For me since root didn't have an authorized_keys file, I could get away with

       scp -p .ssh/id_dsa.pub root@linux2:.ssh/authorized_keys
       scp -p .ssh/id_dsa.pub root@linux3:.ssh/authorized_keys
       scp -p .ssh/id_dsa.pub root@linux4:.ssh/authorized_keys
   

   At this point, you can ssh/scp to the target without specifying the target's password. You will have to provide your passphrase though.

        scp .bashrc root@linux2:junk
        Enter passphrase for key '/home/rick/.ssh/id_dsa':
        .bashrc                                       100%  171     0.2KB/s   00:00
   

   ---

3. To not have to specify or passphrase everytime, we'll add your passphrase to the ssh-agent daemon with the ssh-add command. First though, you have to get an ssh-agent running for your use. One of

        ssh-agent xterm &       (if you have X running)
        ssh-agent bash
        ssh-agent $SHELL
   

   will launch an ssh-agent you can use and put you back into your shell. You can now

       ssh-add .ssh/id_dsa
   

   You'll have to tell ssh-add your passphrase, but afterwards, your ssh/scp commands will need neither a password or passphrase.

       for i in 2 3 4;do ssh root@linux$i ls -l .ssh/authorized_keys;done
          -rw-r--r--  1 root root 601 Aug 31 12:33 .ssh/authorized_keys
          -rw-r--r--  1 root root 601 Aug 31 12:28 .ssh/authorized_keys
          -rw-r--r-- 1 root root 601 Aug 31 12:28 .ssh/authorized_keys
   

4. Each time you login though, you'll have to

       ssh-agent bash
       ssh-add
   

   and type your passphrase once, but after that, ssh/scp commands work with no password. This of course, could/should be added to one's login and the SSH book on pages 218-229 explains two ways of doing this, what they call the single-shell & subshell methods. There are pros and cons to both methods and they give sample code you could put in your ~/.profile, ~/.logout, but the easiest thing is to use keychain.

   ---

5. keychain is a shell script front-end to ssh-agent. With keychain, you simply get and install, then put these lines in your ~/.bash_profile,

       /usr/bin/keychain ~/.ssh/id_dsa > /dev/null 2>&1
       source .keychain/linux2-sh > /dev/null
   

   It assures there's only one copy of ssh-agent running and points your login session to that one session. If keychain had to start the ssh-agent, you'll get prompted for your passphrase, else it'll keep that ssh-agent running even if/when you log off, and it'll point you to it at your next login.