A quick how-to, mostly for my reference, but also because a Google search for “using ssh with certificates” brings up no useful resources.
To avoid having to type in your password every time you want to ssh to a server, you can set up the server to accept a certificate like this:
On your local machine, go to the command-line and type:
- cd ~/.ssh
- ssh-keygen -t rsa
- Choose no passphrase when asked and accept the default filename of id_rsa
- scp id_rsa.pub <user>@<yourhost>:.ssh/authorized_keys
- Provide your password when asked and that’s the last time you’ll have to do it!
If you get an error on the last step saying “scp: .ssh/authorized_keys: No such file or directory”, connect to your host and create the .ssh directory in your home directory.
Advertisement
16 Comments
JayFresh, braying in the face of the ‘something you have and something you know’ mantra of two factor authentication… huzzah!
You probably got few results as people don’t usually call them certificates in this context – they call them keys (hence ssh-keygen)
Ideally you should also give your keys strong passwords, as otherwise if someone else obtained them *bam* they have access as you. If you use a password them you can use a key agent so you don’t have to enter the key password every time. (Leopard even has an ssh-keyagent running for you, you just ssh -i {keyname} once and it’ll prompt for the password and then store it in your keychain.)
Patrick is right – you should search for the term “(public/private) key” instead of “certificate”.
Also, I believe DSA is the preferred type these days.
Yeah, certificates are as used with SSL/TLS and S/MIME etc, and IIRC the product of a trusted 3rd party ‘signing’ (with their private key) the requesters relevant info (server name or E-mail address etc) along with their public key. Think there is a bit more to it, but you get the idea… With SSH it’s just key-pairs, without any signing going on.
Wouldn’t worry about passphrases if you have an encrypted homedir (IIRC FileVault in Macspeak), which of course everyone should have.
ssh-agent is ace, and with agent forwarding it gets even better, as you can login to a remote machine, and then from that to another, and to another if you like, all without entering passwords.
http://www.unixwiz.net/techtips/ssh-agent-forwarding.html
Re: agent forwarding
What happens if you eventually log back in to the machine you started from? Do you get a virtual Duckling loop? Or recreate that scene in “Being John Malkovitch” where goes through the portal into his own head? We could call it “Being Jon Lister”.
That should work fine, Denada – in contrast to VNC…
Andrew: I guess I’m just the paranoid type – although if I were truly paranoid I wouldn’t store the password in the keychain. At the very least it’s a lot harder for someone sitting at my computer to get the password from the keychain than it is to cp ~/.ssh/* /Volumes/EvilRemoteVolume/
One thing I do like is that it’s not terribly hard to revoke a key (just remove it from authorized_keys file), although it doesn’t scale well when you have a lot of servers. You can also lock keys to only certain IP addresses and other such fun.
Thanks everyone for the comments, they’ve made the post much more useful!
“keys”… yes, that would be the right term now, wouldn’t it… I’ll leave searching for certificates until I want a 2nd-hand PhD or something.
I have also ended up here after searching for ‘ssh+certificate’, so you are probably far from the only one making this mistake.
I have now read the above with interest, and am now off to search for ‘ssh+keys’.
In any case, this post is definitely useful. Leave it here!
Thanks.
I ended up here searching for ssh+certificate as well.
I needed two perform automated transfer between two linux boxes in a script. A quick and dirty script or I would have set up an rsync server on one of the boxes.
So I needed PASSWORD-LESS communication to be scripted. Since IMHO that is the entire purpose of certificate based ssh authentication, the strong password recommendation above is kind of silly.
Computers are also very secure if you turn them off and don’t use them. They might even pass a PCI audit…
Along with the other comments, DSA, etc, don’t forget permissions or the /var/log/secure log file.
your ~/.ssh dir must be 700
your private key file must be 600
your public key file must be 644
your auth file (on the remote) must be 644
But the log file will tell your this (basically).
Leave the link here – handy….
thanks
On Ubuntu: open Applications | Passwords and Encrypted Keys, right-click your key under “My Personal Keys”, select “Configure Key for Secure Shell”, fill out dialog (remote computer name, user account), hit OK.
Excellent article!
By far the EASIEST way to do ssh I have found on the web!
Yes, by far the easiest method to set up ssh keys I have found.
Great!
Thanks,
Gee, thanks guys!
Great post. I was trying to set up a rsync to let Eclipse automatically sync with a remote server. This explanation stopped me having to type my password every time I saved a file. Nice one!
2 Trackbacks/Pingbacks
[...] dieses auf den Server kopieren und kann sich nun passwortfrei anmelden. Wie dies funktioniert ist hier [...]
[...] and therefore, print. To keep them from logging into the machine through SSH, I set SSH to use certificates instead of passwords. This also allows me to securely access it without having to type in a [...]