This article details how to set up RSA key authentication for remote SSH logins without the need for typing in a password. This is especially useful for using remote ssh commands in shell scripts. And these instructions will work in Mac OS X.
Create the keys:
First we need to generate the keypair. We do this with the ssh-keygen command and two switches. The option -b 4096 tells the program we want a byte-size of 4K (2048 or 2K is the minimum safe key length as of the writing of this aricle)Â and -t rsa tells the program we’d like the keypair to be of type RSA. Running this command will prompt you for additional information as seen below.
LocalHost:~ localuser$ ssh-keygen -b 4096 -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/localuser/.ssh/id_rsa): ssh.4096.remotesite.com.key
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ssh.4096.remotesite.com.key.
Your public key has been saved in ssh.4096.remotesite.com.key.pub.
The key fingerprint is:
62:a1:ff:27:ad:5b:eb:d4:be:83:a2:ac:dc:6f:9b:f2 localuser@LocalHost.local
The key's randomart image is:
+--[Â RSAÂ 4096]----+
|Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â |
|        xXx      |
|Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â Â |
|Â Â Â Â ;Â Â WÂ Â Â Â Â Â Â Â Â |
|  ~-_=o Q        |
|Â Â <Â ii|Â Â Â Â Â Â Â Â Â Â |
|Â ''+Po{Â Â Â Â Â Â Â Â Â Â |
|lla----Â Â Â Â Â Â Â Â Â Â |
|*&#$K]\\Â Â Â Â Â Â Â Â Â |
+-----------------+
The only thing we typed in was the filename to save the key as. Â Don’t enter a passphrase, or you won’t be able to script the SSH commands. Â This created the ssh.4096.remotesite.com.key in the $HOME or ~ directory.
Clean house:
Now let us fix the filenames, set the permissions, and put the files in the proper place.
LocalHost:~ localuser$ mv ssh.4096.remotesite.com.key ssh.4096.remotesite.com.key.pri LocalHost:~ localuser$ mv ssh.4096.remotesite.com.key.p* .ssh/ LocalHost:~ localuser$ chmod 700 .ssh LocalHost:~ localuser$ chmod 600 .ssh/ssh.4096.remotesite.com.key.p*
I like to know which file is public and which is private. You can use .key and .crt instead of .key.pri and .key.pub if you’d like. Whatever your OCD dictates. Setting the directory permissions on your .ssh directory and your keys is not optional. Protect your secrets; protect your keys!
Remote Control:
Now we can set up the remote site to accept the keys.
LocalHost:~ localuser$ ssh user@remotesite.com mkdir -p .ssh user@remotesite.com's password: LocalHost:~ localuser$ ssh user@remotesite.com chmod 700 .ssh user@remotesite.com's password: LocalHost:~ localuser$ cat ssh.4096.remotesite.com.key.pub | ssh user@remotesite.com 'cat >> .ssh/authorized_keys' user@remotesite.com's password: LocalHost:~ localuser$ ssh user@remotesite.com chmod 600 .ssh/authorized_keys user@remotesite.com's password:
You’ll have to type in your password for each command above.
Now all that is left to do is set up the command to connect to the remote machine.
Optional SSH Config:
Create a file .ssh/config with the following contents:
host remotesite.com
IdentityFile ~/.ssh/ssh.4096.remotesite.com.key.pri
host remotesite.org
IdentityFile ~/.ssh/ssh.4096.remotesite.com.key.pri
host secondremotesite.edu
IdentityFile ~/.ssh/ssh.4096.secondremotesite.edu.key.pri
host thridremotesite.info
IdentityFile ~/.ssh/ssh.4096.thirdremotesite.info.key.pri
Where the first two lines are all we need. But if your remotesite.com and remotesite.org pointed to the same server, you would want to set them up with the same remotesite.com key. And if you have many sites you need to SSH to from your workstation, you can set each one up separately here by following the pattern above.
This will allow you to connect to the remote site with the following command:
LocalHost:~ localuser$ ssh user@remotesite.com
Optional Alias:
You could instead just use the -i switch for ssh. It does make the command longer, but it’s still a command that needs to be shortened with an alias anyway. I like putting all the details in the alias without relying on configuration files for things to work. It makes debugging easier when stuff breaks.
Since no one likes typing we will create an alias. Then all we need to type in to access the remotesite.com is “remotesite”. Putting that alias command in your .bashrc (or .bash_profile for you Mac OS X people) is highly recommended.
LocalHost:~ localuser$ alias remotesite='/usr/bin/ssh -i ~/.ssh/ssh.4096.remotesite.com.key.pri user@remotesite.com' LocalHost:~ localuser$ remotesite Welcome to remotesite.com Any malicious and/or unauthorized activity is strictly forbidden. All activity may be logged by the NSA, Iran, North Korea and/or China. Last login: Mon May 5 12:27:49 1997 from LocalHost.local RemoteSite:~ user$
And you just logged into your remote site without typing in a password. Now the local user account can run scripts that call ssh commands to this remotesite and they will execute without the need for human intervention. Pat yourself on the back. Well done.
Some things worth mentioning:
The directory .ssh and the file .ssh/authorized_keys can be configured differently in the server’s /etc/sshd_config file.
#RSAAuthentication yes #PubkeyAuthentication yes #AuthorizedKeysFile .ssh/authorized_keys
RSA Authentication can be disallowed by the administrator of the box or they could have changed the default location where the keys reside. Â You’re on your own if the above instructions don’t work for you.
Actual milage may vary. Objects in mirror are closer than they appear. Names were changed to protect the innocent. Â Standard disclaimers apply. This tape will self destruct in 10 seconds. Â Good Luck.