Welcome to our Support Center
< All Topics
Print

Using SSH public/private keys

Normally for SSH logins into other machines on the network you need to give the password for your account on that remote machine. However there is a second way to authenticate to a SSH server called “publickey”. The “publickey” method requires you to have a privateĀ  key and public key.

The basic concept is this. The public key must be “registered” on the remote machine as a key that identifies you. The private key is then used from the origin machine running ssh to encrypt a login token that is passed to the remote machine. The remote machine uses the public key registered by the user to try to decrypt the token. If it works, it gives you access.

Creating the private/public key pair

First you should do an

ls ~/.ssh

and check that you don’t already have a private and public key files created. The names can be arbitrary if you modify the default configuration but by default the private key will be named id_rsa and the public key id_rsa.pub. In almost all cases they both will start with the id_ prefix and the public key file will have .pub appeneded.

If you do not see an existing pair you can create one with the ssh-keygen command. There is a decision to be made here first on the level of security you want. The level of security you want depends on how secure your ~/.ssh directory is.

ssh-keygen -t rsa -b 2048

For your personnel laptop that is encrypted, screensaver locked and only used by you, it is probably fine to create an unencrypted
private key. You do this by giving an empty passphrase to the ssh-keygen command or using -N ” as an argument. This becomes basically the equivalent of storing your account password in an unencrypted file in your home directory .

For any less secure situation (this definitely includes your NFS-based home directory on Martinos Linux systems) you should give a passphrase when you are prompted for one when running ssh-keygen. You will be prompted for this passphrase now instead of your account password when running ssh connecting to a machine were your public key (aka pubkey) is registered.

“BUT WAIT!” you say. “What is the point then? I am just trading one password for another!” True, but due to other steps you can take (described below) you will have to enter the passphrase for the private key a lot less. After running ssh-keygen you should see two new files in your ~/.ssh directory named id_rsa and id_rsa.pub. Check the permissions on the first file, the private key, as they should be read only by user (you).

Managing the passphrase for the private key

You can change the passphrase on the private key at any time by running

ssh-keygen -p -f ~/.ssh/id_rsa

If you forget the passphrase on your private key there is no way to recover it. You should just remove the id_rsa file and
rename the id_rsa.pub to LOST_id_rsa.pub. You will want to keep the pubkey around so you know which key to remove
from remote machine registrations when you are adding the new one you generate running ssh-keygen again.

Having ssh-agent automate unlocking your private key

So that you don’t have to enter the passphrase every time you ssh to a remote machine you can run the program ssh-agent followed by ssh-add on your client machine. The ssh-agent runs in the background and will remain running until the machine is rebooted or explicitly killed.

If you have done a GUI login on your Linux workstation to get a X window Desktop, you do not need run ssh-agent as the
desktop login automatically does this. But if you have done a terminal login at a text console or via sshing in, then you will
need to run it. It also must be run inside a shell eval as it outputs new environment variables that must be set.
By default is outputs settings for a Bash shell so Bash shell users should run it like this:

eval $(ssh-agent)

But Tcsh shell users must run it with the -c option like this:

eval $(ssh-agent -c)

If you run printenv | grep SSH you should now see a SSH_AGENT_PID environment variable. At this point you need to tell ssh-agent your passphrase for your private key and then on any future ssh run you make you will not need to give your passphrase. You do this by running

ssh-add

On a GUI system, if you do not run ssh-add you should get a popup window the first time you run ssh asking for the passphrase.

However, if you are sshing into our Martinos Center ssh gateways (gate, entry, door) you will have to run
ssh-agent/ssh-add on each one you use. If you though then ssh to your normal desktop workstation to use as your
central hub for sshing to other boxes, you need to do it on that box. Though if you are logged in at the GUI on the box, you
probably already have an ssh-agent running. You can see this by running

ls -ld /tmp/ssh-*

In my case on the server entry right now I see:

drwx------ 2 raines raines 4096 May 1 17:22 /tmp/ssh-9SNuXkc7kCyU

and inside that directory I see

srw------- 1 raines raines 0 May 1 17:22 agent.26494

Being a Bash user, instead of running a totally new ssh-agent I could run

export SSH_AUTH_SOCK=/tmp/ssh-9SNuXkc7kCyU/agent.26494

The socket could be stale so it is best to verify ssh-agent is still running as you by running

pgrep -f ssh-agent -u $USER -l

and you should get back a process ID number slightly larger (usually just +1) of the number at the end of the socket.

For bash shell users, there is the following script you can source that automates all the above for you.

source /usr/pubsw/bin/getsshagent.sh

DO NOT PUT THIS IN YOUR LOGIN PROFILE ~/.bashrc OR ~/.bash_profile. Better to create an alias like ‘sshx’ you use that first sources the script and then does the ssh to the remote machine. For example:


sshx ()
{
source /usr/pubsw/bin/getsshagent.sh;
/usr/bin/ssh "$@";
}

Registering your public key on the remote servers

At the Martinos Center since your home directory is centralized, you can just create and edit the ~/.ssh/authorized_keys file on the same machine you created your private and public key. The key thing if you do this is make sure that you fix permissions on the ~/.ssh/authorized_keys so they are only readable by you

chmod go-rwx ~/.ssh/authorized_keys

To register your public key on non-Martinos remote servers, you must on that server edit the file ~/.ssh/authorized_keys and add the line from the public key file id_rsa.pub to that file. There is a command that does this for you called ssh-copy-id you can run like this

ssh-copy-id -i ~/.ssh/id_rsa.pub username@remotehostname

though realize at this point you must give your account password for login. If you cannot (such as on the ERIS SSH Bastien systems) you may have to email your pubkey file to the system administrators of the remote system to install it for you.

Once you have added your passphrase to ssh-agent with ssh-add and put your public key in the ~/.ssh/authorized_keys file on the remote system, you should be able to ssh to that remote system without given any password or passphrase.