Image of the glider from the Game of Life by John Conway
Skip to content

SSH Key Authentication

This is going to be old hat for some, but I know there are those who can benefit from it, so I'll post a brief tutorial here. This post is to extend upon the post published by Christer on Ubuntu Tutorials.

There is a lot of software on the Linux system that I take for granted, and I am sure there are many reading this post who also do not realize the full power of SSH. Among those two goldmines are SSH key authentication and sshfs. First, SSH key authentication (sshfs for another post).

There are two ways that a server can recognize that a user is trying to access it: passwords or keys. Both provide the server with the security that the person at the local machine is who they say they are. Of course, if the local system is compromised, there is no way for the server to know. However, with that said, hopefully, it's basic user error that created the compromise in the first place. But nevermind that. I'm rambling.

Many of us use SSH daily. Probably more times than once throughout the course of the day. I know I do. At work, I SSH into my home box for secure proxy, as well as SSH into the office server. With the office server containing many virtual servers, I find myself using SSH a few times more. On top of that, we use SVN to manage our code collaboration. We use svn+ssh to check in the code. Needless to say, I find myself using SSH several times throughout the course of the day. One major problem is typing my password at every pass. Key authentication fixes that.

Using SSH key authentication, I generate a private and public key. With this key pair, I then append the public key to an authorized keys file, telling the remote system that I can use it if a private key is supplied. If the remote system can match the public key to the private key that I am supplying, then I don't have to worry about a password. It won't ask me for one. It knows I am who I say I am.

So, how do we make this happen? Simple. SSH provides a set of utilities that make it really easy.

First, we need to generate the key pair. When asked, you should provide a passphrase for the key. This is highly recommended, as doing a passphraseless key authentication means that anyone can use your key when at your computer, which sucks even more if it gets compromised. Type in a passphrase. Save yourself the pain.

ssh-keygen -t [dsa|rsa]

As you can see, you can generate either a DSA key or an RSA key. It doesn't matter which one you generate. For me, I generated a DSA key. So, I need to append the public DSA key to the authorized keys file found in my home directory. First, copy over the file to the remote server:

scp ~/.ssh/id_dsa.pub user@yourserver.com:~/

Then ssh to the remote server, and append the contents:

ssh user@yourserver.com
cat id_dsa.pub >> .ssh/authorized_keys

If the file didn't exist, then you just created it. If it did exist, then you appended your key to the end of the file, leaving any other keys in the file in tact. Continue to add your public key to as many remote servers in this fashion as possible. Once added, you can remove the public key.

Ok. Now, we have SSH using key authentication, rather than password authentication. The only problem is, we're still typing in our passphrase when trying to connect remotely. I thought the point of key authentication was to get rid of that. It was, and it's still possible.

We need to use the SSH agent to manage our passphrase when logged in. Luckily, if using Gnome, you already have an SSH agent running. I don't know about KDE.

ps aux | grep ssh-agent
aaron     5142  0.0  0.0   4484   448 ?        Ss   Feb07   0:00 /usr/bin/ssh-agent /usr/bin/ssh-agent /usr/bin/dbus-launch --exit-with-session /usr/bin/gnome-session

As you can see, Gnome is managing my SSH agent for me. However, only when logged in via the GDM. If Iog out of Gnome, then my ssh agent is lost. So, this means, if you log in via a terminal without X, then you will need to start the SSH agent.

What is the SSH agent, exactly? Well, it manages your passphrase along with other variables when you login to remote servers using SSH key authentication. So, if you login using the SSH keys, and you're prompted for your passphrase, your passphrase is stored in the agent. Which means, that you can keep it there, so you won't have to edit it again. The way to do this is add your key to the agent along with your passphrase:

ssh-add

That will do the trick. Now, SSH into the remote server. It will ask you for your passphrase. Now logout and log back in. Did it ask you for your passphrase again? If you've followed all the steps, then it shouldn't have. Reason being, is both your key, and it's associated passphrase are being stored in the agent. The SSH agent manages the two together, and any future logins, regardless of remote server (as long as your public key is on that server), will not ask you for a password or passphrase.

Pretty cool huh? Just wait, it gets better. You can forward your agent from session to session. This means, as long as you have your public key in the authorized keys file, you will never be asked for your password or passphrase. The agent can be carried across the session. Just edit your /etc/ssh/ssh_config file, and uncomment the line that says "ForwardAgent no" and change it to yes.

sudo vim /etc/ssh/ssh_config

Let me give you an example to help illustrate the process.

John generates his SSH key pair, and adds the public key to his SSH server. He then adds his key to the agent, enables forwarding his agent, and SSHs in. He is asked for his passphrase. After done with his work, he logs out. Unfortunately, he forgot to edit a certain file, so he SSHs back into his server. This time, because he logged out remotely but not locally, he is not asked for his passphrase. Kelly, his girlfriend, needs help with her SSH server, and asks him to sign in. He does, but this time, the SSH server prompts him for his password. "Odd" he thought. I am forwarding my SSH agent. I shouldn't ask me for this. Well, if he didn't add his public key to Kelly's authorized key file, then of course it will. If he had his public key in the authorized key file, then Kelly's server would not ask for anything, and just load right up.

Does that make sense? His agent is being forwarded from remote session to remote session never asking for a passphrase or password, as long as the public key is in the authorized keys file. You just need to remember 'ssh-add' when logging into Gnome. If logging into KDE or another window manager, then you may need to start the agent:

ssh-agent

I am unsure about what window managers you would need to run that command in. I just know with Gnome, you don't need to worry about it.

No more asking passwords or passphrases when you use SSH. This makes it especially handy when using svn+ssh. If you check in code a lot, this will save you a ton of typing at the shell.

So, there you go. Secure SSH key authentication made simple. You have security first in mind when generating the keys, and supplying a passphrase. You make things simple by using SSH agent to manage your key sessions and your passphrases. Finally, your forward your agent across multiple machines, regardless of how deep, keeping the simplicity and ease of use in mind. The whole time, security is first on the agenda.

{ 8 } Comments

  1. Christer Edwards using Firefox 2.0.0.1 on Ubuntu | February 10, 2007 at 12:57 am | Permalink

    Two questions here: 1) can you combine those first two commands into one using something like "scp ~/.ssh/id_dsa.pub user@yourserver.com:~/ | cat id_dsa.pub >> .ssh/authorized_keys"?

    2) What do you mean you're still using your passphrase when logging in remotely? Since I generated and appended my local key to my irssi server I have not needed a password to connect or run any user commands.

  2. Aaron using Firefox 2.0.0.1 on Ubuntu | February 10, 2007 at 7:59 am | Permalink

    Christer-

    I don't know of a way to combine the two commands. If a file already exists containing some authorized keys, then you don't want to overwrite that file, so it's best to be careful.

    Also, it sounds like you generated a key pair containing no passphrase. When you generate the keys, it will prompt you to enter a passphrase protecting the keys. If you enter past it, and don't enter a passphrase, as I suspect you did, then you'll never be prompted for it. I would advice against entering past the passphrase prompt, and entering one, then using the SSH agent to manage it.

  3. dbr using Firefox 2.0.0.1 on Windows XP | February 10, 2007 at 8:45 am | Permalink

    Doing cat id_dsa.pub >> ~/.ssh/authorized_keys won't overwrite anything in an existing authorized_keys file, since >> is append (> is overwrite)

    Anyone using Windows to connect to SSH-servers, the PuTTY-bundle is great (It includes GUI equivalents to ssh-agent, PageAnt, and ssh-keygen, PuTTYGen, and ssh/sftp/scp clients) [ http://www.chiark.greenend.org.uk/~sgtatham/putty/ ]
    - Ben

  4. Aaron using Firefox 2.0.0.1 on Ubuntu | February 10, 2007 at 11:46 am | Permalink

    dbr-

    Correct. That is why it is mentioned in the tutorial, and PuTTY is a great client for Windows users. I highly recommend it.

  5. Bob using Firefox 1.5.0.7 on Debian GNU/Linux | February 10, 2007 at 7:21 pm | Permalink

    You can do the following if you want one command for getting your key into authorized_keys:

    cat ~/.ssh/id_dsa.pub | ssh user@remotehost.com "cat >> ~/.ssh/authorized_keys"
    

    Be sure to also check out the "AUTHORIZED_KEYS FILE FORMAT" section in the sshd man page. You can get some very fine grained control of what keys can and can't do when logging in. For example, I use a passphrase-less key for backups, but only allow that key to run one command (the backup script).

  6. David using Firefox 2.0.0.2 on Ubuntu 64 bits | March 15, 2007 at 12:52 pm | Permalink

    KDE starts ssh-agent (at least on my Kubuntu).

  7. Christopher Dale using Firefox 2.0.0.3 on GNU/Linux | November 20, 2007 at 12:31 pm | Permalink

    Hi everyone,

    It looks like the ssh-agent stuff is a bit over-complicated for me... I chose to drop this in the ~/.ssh/config file on the remote computer:

    1
    2
    3
    Host hostname.com
       IdentityFile /home/randy/id_rsa
       User billy

    This way, I can be logged in on the remote computer as anyone and can still get back to my server by simply typing ssh hostname.com. This also makes sshfs's connections transparent (no password prompt). Nice for automation and much easier (in my opinion) than ssh agents running around with there little black hats... :)

    I do, however, like the ssh-agent idea for other uses though.

    Thanks for the great tutorial,

    Christopher

  8. Mike using Google Chrome 32.0.1700.77 on Mac OS | January 16, 2014 at 7:29 am | Permalink

    This is a very good article on SSH login without password. Here is another one that worked for me when I first started doing this. It's very simple, concise and easy to understand. http://tinyurl.com/m9ztegw

Post a Comment

Your email is never published nor shared.

Switch to our mobile site