== Secure Shell Key Authentication ==
Setting up SSH Key Authentication allows a user account to connect from one server to another without requiring a password login. This can be utilized for applications (e.g. Nagios monitoring other servers), as well as for publish scripts that move files around servers as well as individual users.
== SSH Agent ==
The SSH Agent is a program that holds your keys in memory so that it can present them automatically for you when connecting to remote hosts. Assume you are connecting from host A through B to host C. If agent forwarding is allowed by the intermediary host, then your private keys can be used to connect to host 'C' without revealing the private key to host 'B'. Even if you are connecting directly to a remote host, the agent can store the right keys (assuming that you use more than one.)
<source lang="bash">
eval $(ssh-agent) && ssh-add ~/.ssh/eQualityTech-Test.pem
</source>
== Desktop Applications ==
== One-liner ==
<source lang="bash">
ssh-copy-id -i ~/.ssh/id_rsa.pub -o IdentitiesOnly=true admin@qbucket
# ssh-copy-id is essentially equivalent to
cat ~/.ssh/id_rsa.pub | ssh admin@qbucket "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
# now you can just ssh, and your key will let you in
ssh admin@qbucket
# if not, check file permissions (tail /var/log/secure to see if there is a different problem, or ssh -vvv for maximum verbosity)
chmod 600 ~/.ssh/authorized_keys
</source>
== Man in the Middle (JumpHost or Firewall) ==
In Maine they would say, "[https://www.youtube.com/watch?v=gD3cYh5Pp1I You ''can'' get there from here!]"
Sometimes you have to hop through a hoop before you can get to your destination host. In case you have to go from A through B to get to C, (A ==> B ==> C) here's how <ref> https://serverfault.com/questions/337274/ssh-from-a-through-b-to-c-using-private-key-on-b </ref><source lang="bash">ssh-copyt B ssh C</source>To use a key stored on B.<source lang="bash">ssh -id t B ssh -i ~/.ssh/id_rsaC</source><code>-t</code> forces pseudo-tty allocation instead of a login shell.pub <code>-o IdentitiesOnly=true admin@qbucketi</code> is the identity found on B
If the hoop is a configured to drop your connections after short time-outs, then you can insert a keep-alive on B so that it rings the bell every 60 seconds.<source lang="bash"># B:/~/.ssh admin@qbucket/config# keep ssh connections openServerAliveInterval 60</source>
Since there are more ways than one to do something, you might also try the <code>ProxyCommand</code> option; If <code>-W</code> is not supported in your version of SSH, then your proxy command will need to use netcat.
<source lang="bash">
ssh -o ProxyCommand="ssh -W %h:%p firewall.example.org" server2.example.org
ssh -o ProxyCommand="nc %h:%p firewall.example.org" server2.example.org
</source>
== More ==
More configuration info is on the [[SSH]] page
== Troubleshooting ==
Check <code>/var/log/auth.log</code> (or <code>/var/log/audit/audit.log</code> on RHEL/CentOS) on the remote server for details if this doesn't work as expected.
When logging in to the server, use the verbosity switch on the ssh command. Increase verbosity with additional "v"s