This article details how to set up RSA key authentication for remote SSH logins without the need for typing in a password. This is especially useful for using remote ssh commands in shell scripts. And these instructions will work in Mac OS X.<\/p>\n
First we need to generate the keypair. We do this with the ssh-keygen command and two switches. The option -b 4096 tells the program we want a byte-size of 4K (2048 or 2K is the minimum safe key length as of the writing of this aricle)<\/em>\u00c2\u00a0and -t rsa tells the program we’d like the keypair to be of type RSA. Running this command will prompt you for additional information as seen below.<\/p>\n The only thing we typed in was the filename to save the key as. \u00c2\u00a0Don’t enter a passphrase, or you won’t be able to script the SSH commands. \u00c2\u00a0This created the ssh.4096.remotesite.com.key in the $HOME or ~ directory.<\/p>\n Now let us fix the filenames, set the permissions, and put the files in the proper place.<\/p>\n I like to know which file is public and which is private. You can use .key and .crt instead of .key.pri and .key.pub if you’d like. Whatever your OCD dictates. Setting the directory permissions on your .ssh directory and your keys is not optional. Protect your secrets; protect your keys!<\/p>\n Now we can set up the remote site to accept the keys.<\/p>\n You’ll have to type in your password for each command above.<\/p>\n Now all that is left to do is set up the command to connect to the remote machine.<\/p>\n Create a file .ssh\/config with the following contents:<\/p>\n Where the first two lines are all we need. But if your remotesite.com and remotesite.org pointed to the same server, you would want to set them up with the same remotesite.com key. And if you have many sites you need to SSH to from your workstation, you can set each one up separately here by following the pattern above.<\/p>\n This will allow you to connect to the remote site with the following command:<\/p>\n You could instead just use the -i switch for ssh. It does make the command longer, but it’s still a command that needs to be shortened with an alias anyway. I like putting all the details in the alias without relying on configuration files for things to work. It makes debugging easier when stuff breaks.<\/p>\n Since no one likes typing we will create an alias. Then all we need to type in to access the remotesite.com is “remotesite”. Putting that alias command in your .bashrc (or .bash_profile for you Mac OS X people)<\/em> is highly recommended.<\/p>\n And you just logged into your remote site without typing in a password. Now the local user account can run scripts that call ssh commands to this remotesite and they will execute without the need for human intervention. Pat yourself on the back. Well done.<\/p>\n The directory .ssh and the file .ssh\/authorized_keys can be configured differently in the server’s \/etc\/sshd_config file.<\/p>\n RSA Authentication can be disallowed by the administrator of the box or they could have changed the default location where the keys reside. \u00c2\u00a0You’re on your own if the above instructions don’t work for you.<\/p>\n Actual milage may vary. Objects in mirror are closer than they appear. Names were changed to protect the innocent. \u00c2\u00a0Standard disclaimers apply. This tape will self destruct in 10 seconds. \u00c2\u00a0Good Luck.<\/p>\n","protected":false},"excerpt":{"rendered":" This article details how to set up RSA key authentication for remote SSH logins without the need for typing in a password. This is especially useful for using remote ssh commands in shell scripts. And these instructions will work in Mac OS X. Create the keys: First we need to generate the keypair. We do … [Read more…]<\/a><\/span><\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[20],"tags":[25,24,23,19,22,21],"class_list":{"0":"entry","1":"post","2":"publish","3":"author-siteuser","4":"post-208","6":"format-standard","7":"category-technical","8":"post_tag-administration","9":"post_tag-automation","10":"post_tag-crypto","11":"post_tag-howto","12":"post_tag-ssh","13":"post_tag-unix"},"_links":{"self":[{"href":"https:\/\/andrew.the-espositos.net\/blog\/wp-json\/wp\/v2\/posts\/208","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/andrew.the-espositos.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/andrew.the-espositos.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/andrew.the-espositos.net\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/andrew.the-espositos.net\/blog\/wp-json\/wp\/v2\/comments?post=208"}],"version-history":[{"count":0,"href":"https:\/\/andrew.the-espositos.net\/blog\/wp-json\/wp\/v2\/posts\/208\/revisions"}],"wp:attachment":[{"href":"https:\/\/andrew.the-espositos.net\/blog\/wp-json\/wp\/v2\/media?parent=208"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/andrew.the-espositos.net\/blog\/wp-json\/wp\/v2\/categories?post=208"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/andrew.the-espositos.net\/blog\/wp-json\/wp\/v2\/tags?post=208"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}LocalHost:~ localuser$ ssh-keygen -b 4096 -t rsa\r\nGenerating public\/private rsa key pair.\r\nEnter file in which to save the key (\/Users\/localuser\/.ssh\/id_rsa): ssh.4096.remotesite.com.key\r\nEnter passphrase (empty for no passphrase):\r\nEnter same passphrase again:\r\nYour identification has been saved in ssh.4096.remotesite.com.key.\r\nYour public key has been saved in ssh.4096.remotesite.com.key.pub.\r\nThe key fingerprint is:\r\n62:a1:ff:27:ad:5b:eb:d4:be:83:a2:ac:dc:6f:9b:f2 localuser@LocalHost.local\r\nThe key's randomart image is:\r\n+--[\u00c2\u00a0RSA\u00c2\u00a04096]----+\r\n|\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0|\r\n|\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0xXx\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0|\r\n|\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0|\r\n|\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0;\u00c2\u00a0\u00c2\u00a0W\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0|\r\n|\u00c2\u00a0\u00c2\u00a0~-_=o\u00c2\u00a0Q\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0|\r\n|\u00c2\u00a0\u00c2\u00a0<\u00c2\u00a0ii|\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0|\r\n|\u00c2\u00a0''+Po{\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0|\r\n|lla----\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0|\r\n|*&#$K]\\\\\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0\u00c2\u00a0|\r\n+-----------------+<\/pre>\nClean house:<\/h3>\n
LocalHost:~ localuser$ mv ssh.4096.remotesite.com.key ssh.4096.remotesite.com.key.pri\r\nLocalHost:~ localuser$ mv ssh.4096.remotesite.com.key.p* .ssh\/\r\nLocalHost:~ localuser$ chmod 700 .ssh\r\nLocalHost:~ localuser$ chmod 600 .ssh\/ssh.4096.remotesite.com.key.p*<\/pre>\n
Remote Control:<\/h3>\n
LocalHost:~ localuser$ ssh user@remotesite.com mkdir -p .ssh\r\nuser@remotesite.com's password: \r\nLocalHost:~ localuser$ ssh user@remotesite.com chmod 700 .ssh\r\nuser@remotesite.com's password: \r\nLocalHost:~ localuser$ cat ssh.4096.remotesite.com.key.pub | ssh user@remotesite.com 'cat >> .ssh\/authorized_keys'\r\nuser@remotesite.com's password: \r\nLocalHost:~ localuser$ ssh user@remotesite.com chmod 600 .ssh\/authorized_keys\r\nuser@remotesite.com's password:<\/pre>\n
Optional SSH Config:<\/h3>\n
host remotesite.com\r\n IdentityFile ~\/.ssh\/ssh.4096.remotesite.com.key.pri\r\nhost remotesite.org\r\n IdentityFile ~\/.ssh\/ssh.4096.remotesite.com.key.pri\r\nhost secondremotesite.edu\r\n IdentityFile ~\/.ssh\/ssh.4096.secondremotesite.edu.key.pri\r\nhost thridremotesite.info\r\n IdentityFile ~\/.ssh\/ssh.4096.thirdremotesite.info.key.pri<\/pre>\n
LocalHost:~ localuser$ ssh user@remotesite.com<\/pre>\n
Optional Alias:<\/h3>\n
LocalHost:~ localuser$ alias remotesite='\/usr\/bin\/ssh -i ~\/.ssh\/ssh.4096.remotesite.com.key.pri user@remotesite.com'\r\nLocalHost:~ localuser$ remotesite\r\n\r\nWelcome to remotesite.com\r\n\r\nAny malicious and\/or unauthorized activity is strictly forbidden.\r\nAll activity may be logged by the NSA, Iran, North Korea and\/or China.\r\n\r\nLast login: Mon May 5 12:27:49 1997 from LocalHost.local\r\n\r\nRemoteSite:~ user$<\/pre>\n
Some things worth mentioning:<\/h3>\n
#RSAAuthentication yes\r\n#PubkeyAuthentication yes\r\n#AuthorizedKeysFile .ssh\/authorized_keys<\/pre>\n