17 Dec 2016

Key-Based SSH Logins

Author: derek0883@gmail.com

Using ssh public/private key pair on a linux server.

On client using ssh-keygen to generate key pair.

$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase):         # Enter password here
Enter same passphrase again: 
Your identification has been saved in /root/.ssh/id_rsa. # private key
Your public key has been saved in /root/.ssh/id_rsa.pub. # public  key
The key fingerprint is:
SHA256:9jxV3HxvXM8GGXUUenYVO+Ckooy6r24WrKEVM1eH9G8 root@ThinkPad
The key's randomart image is:
+---[RSA 2048]----+
|     ...     o.=B|
|      o..   +.o=+|
|     . ... . o==*|
|  + . o ...  .o+B|
|  .= . oS E .   B|
| ..o.  . + .   o |
|..o..     +      |
|.. o.      .     |
|  ++o.           |

Now copy public key to server with ssh-copy-id command.

~$ ssh-copy-id -i .ssh/id_rsa.pub username@
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
username@'s password: 
Permission denied, please try again.
username@'s password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh 'username@'"
and check to make sure that only the key(s) you wanted were added.

On server, edit /etc/ssh/sshd_config, make sure the following configuration are turned on.

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      %h/.ssh/authorized_keys

Now try to login to server with ssh, it still ask for “passphrase”

$ ssh 'username@'
Enter passphrase for key '/root/.ssh/id_rsa': 

We can using ssh-agent to avoid this:

$ ssh-agent 
SSH_AUTH_SOCK=/tmp/ssh-QLSbu5wlnvN6/agent.6888; export SSH_AUTH_SOCK;
echo Agent pid 6889;

We need manully export above environment variables, this can be avoid by ‘eval’ command

# stop privous ssh-agent
$ ssh-agent -k

# restart with eval
$ eval `ssh-agent`
Agent pid 6892

Now add private key to ssh-agent, Then can login to server without password.

$ ssh-add .ssh/id_rsa
Enter passphrase for .ssh/id_rsa: 
Identity added: .ssh/id_rsa (.ssh/id_rsa)
$ ssh username@

At the end, remember exit ssh-agent.

$ ssh-agent -k
echo Agent pid 6465 killed;