ssh keys can be used to replace password authentication with ssh so that you may log in without entering a password or to limit a login to running a specific command. if you are planning to use scripts that require ssh access and do not want to embed passwords in the script then ssh keys are an alternative that is easier to maintain
To use password-less logins (ie log in with a key file) you will need to dot he following * Generate a key pair * Copy the public key to the servers you wish to log into * Use an ssh agent or ensure the keys are in the correct location
these steps are details below
There are some basic things that you need to be aware of when dealing with key based security. these are listed below to help you avoid any potential pitfalls
To use an ssh key file you will first need to generate a public and a private key, often referred to as a key pair. the public key is used by others to work out who you are and does not need to be secured. while the private key is similar to the password for that keypair/identity and should not be distributed to others. these key fils by default are generated in your home directory in the “.ssh” folder. by default this file is called id_rsa for rsa keys and id_dsa for dsa keys. ssh will look for these files by default and use them if they are present or will fall back to looking for an ssh-agent and then normal password authentication if any key fails or a keyfile is not found
To generate a key pair with reasonable defaults use the following command
this will prompt you for the filename to save the key to, hit enter to accept the defaults. You will then be prompted to enter a password for the ssh key file, to keep things simple use your ldap password. a complete session is listed below.
the randomart (visual fingerprint) is only available with newer versions of the ssh tools
Openssh provides a helper script to copy your ssh public keys to the remote server, it will append the key to the authorized_keys file, check the permissions and perform some other basic checks to ensure the ssh key works
to copy your key use the following command
if your public/private key are not called id_rsa.pub and id_rsa respectively and are not located in the .ssh directory in your home folder then you will need to specify the path to the public key file with the “-i” flag
If you are using more than one key or do not wish to enter the password more than once you will need to use a ssh-agent which will load keys (decrypting them with a password you supply if required) and attempt to log in with each key until the correct one is found falling back to password authentication if a suitable key is not found)
the ssh-agent consists of two parts, a daemon that listens for outgoing key requests (ssh-agent) and a program to add keys to the agent (ssh-add)
You will need to ensure you have an ssh-agent running. most Graphical logins on linux computers will load this up by default int he background for you however if you are using a different operating system you may have to manually start the ssh-agent, two methods are shown below and will need to be added to your login scripts
avoid adding these to your .bashrc file otherwise a separate ssh-agent will be started for every terminal you open and will not share keys. see the ibm links in the url sections below for “keychain” which is a platform independent (BSD/Unix/Linux) wrapper around ssh-agent designed to fix this issue.
Once the ssh-agent is loaded you will need to add keys for it to remember to its keychain so it can log in on your behalf, to do this a program called ssh-add is installed as part of the basic OpenSSH tools. ssh-add will allow you to list, add and delete keys as well as lock the keychain, these options are explained below
To list the fingerpreints of all the keys loaded into the agent use
If you need to add a key to the authorized_keys file and do not have the public key handy you may generate public key from the private key loaded in the agent using the command below, this will list all your keys in a format suitable for insertion in authorized_keys
You will then be able to take this output and copy it into the file by hand of write the output to a file and use the ssh-copy-id command as shown above
The following command can be used to add a key to the agent, <key file> is the private key file (not the public key, ie files ending in “.pub”).
This will prompt you for a password for the key file if the key is password protected and then add it to the current ssh-agent instance allowing you to log in without typing in your password.
Passwords can be forgotten with the “-d” (single key) or “-D” (all keys) flags
To forget all keys use
To remove a single key, list the fingerprints witht he “-l” flag as shown above and then use