There are a lot of things you can do with computers to create security, that's why Security is a process, not a product. One such thing is to use SSH Keys to authenticate with a remote host, rather than typing in your password all the time. Of course, using SSH Authentication keys is convenient as well.
Also, another good HOWTO can be found at http://www.debuntu.org/ssh-key-based-authentication
Contents
Secure Shell Key Authentication
Setting up SSH Key Authentication allows a user account to connect from one server to another without requiring a password login. This can be utilized for applications (e.g. Nagios monitoring other servers), as well as for publish scripts that move files around servers as well as individual users.
Desktop Applications
Graphical desktop tools such as Seahorse or KGpg can make this simpler for users, but it's worth understanding the command-line instructions for greater utility. The added features of a desktop encryption tool is that they allow you to encrypt files in your file manager via a simple right-click menu.
Assuming you have generated a key, you can use Seahorse to "configure key for Secure Shell" with a simple right-click.
Procedure
- If you are an administrator, please assume the role of the user for whom you are setting up this service.
sudo su user
- Ensure the user has a
~/.ssh/
directory with appropriate permissions. It must allow the user access for RWX, and group and other permissions must not be writable. Typically, 755 is a good setup. If they don't have one, thenNote that the actual identity files should NOT be readable by anyone but the user becausemkdir ~/.ssh/ && chmod 755 ~/.ssh
ssh-add
ignores identity files if they are accessible by others. That means files like id_rsa should be 600 and id_rsa.pub should be 644 - Create a new private/public key pairing for the user. Type: RSA, Bits: 1024, File:~/.ssh/identity[.pub]
ssh-keygen -t rsa -b 1024 -f ~/.ssh/identity
- Copy the contents of ~/.ssh/identity.pub so you can paste it in a file on the remote server.
- Login to the remote server and assume the role of the user for whom you are setting up this service in step 1 above.
- On the remote server, ensure the user account also has a
~/.ssh/
directory with the same permissions as in step 2 above. - Open a Text Editor and edit ~/.ssh/authorized_keys
- Paste the public key from step 4 above into this file, on one line only.
- Try logging in from the first server to the second without using a password.
One-liner
ssh-copy-id -i ~/.ssh/id_rsa.pub -o IdentitiesOnly=true admin@qbucket
ssh admin@qbucket
Troubleshooting
Check /var/log/auth.log
on the remote server for details if this doesn't work as expected.
When logging in to the server, use the verbosity switch on the ssh command. Increase verbosity with additional "v"s
ssh -vvv me@example.com
If you want to check what version of SSH is running on a server, you could do this with telnet (although the ssh client will also tell you this information):
- $ telnet example.com 22
- Trying 192.168.1.1...
- Connected to example.com.
- Escape character is '^]'.
- SSH-2.0-OpenSSH_4.3
- ^]
- telnet> quit
- Connection closed.