|
|
SSH How to
If you use SSH a lot (whether you SSH into a school machine or even use SSH with SVN), you
must to set your public/private keys up so that you never have to enter your password again.
I find it much more secure than your password because so long as you keep your private key
private, you never have to worry. And how many times have you typed the wrong password because
you tried to type it fast while your group partner blinked and maybe missed what you typed?!?!?!
Not to mention, if you use SCP, you won't be prompted for a password and the biggest benefit, if
you followed my SVN How-to, this will ease your checking in and out
from the repository.
The way these keys work is that they come in pairs. You can give your public key to anyone you
want, but if they don't have your private key, they can't gain access to anything. So you should
do this for any computer on which you use SSH. The keys are specific to user and machine, so if
you want to SSH from your home desktop and your laptop to your MSDL machine, you must make two
different keys, one on your desktop and another on your laptop. If you have two different users
on your home desktop that want to SSH into an MSDL machine, you must make a key-pair for each
user. Here are the steps to follow:
- Log into the machine you SSH from.
- Issue the following command:
ssh-keygen
The default encryption is RSA (which is apparently, but disputed, better than DSA). The default
settings are good enough for tough security.
- Next you will be prompted for a file name to store the private key. Since each user on each
machine will generate one pair only, use the default file name (id_rsa).
- Next you will be prompted for a passphrase. Just press enter (i.e. leave it blank) so you
never have to enter anything and you just log in.
- Confirm your blank passphrase by pressing enter again.
Now you should have two new files in your $HOME/.ssh folder, one called id_rsa and another called
id_rsa.pub. id_rsa is your private key and you should protect it with your life. You must leave
this file in the $HOME/.ssh folder since this is the place the SSH program looks for the private
key. Now for the id_rsa.pub file, this contains your public key and you can do whatever you want
it (don't go posting it on the web, but you could if you really want to). But before you do
whatever you want with it, you must do the following steps in order to complete the key-pairing:
- Copy the id_rsa.pub file to mykey.pub (in case the remote machine already has an id_rsa.pub
file in your $HOME/.ssh folder).
- Now scp mykey.pub to the remote machine(s) you want to connect to without using your password
with the following command:
scp mykey.pub username@some.machine.cs.mcgill.ca:.ssh/
The ".ssh/" after the ":" will directly scp the mykey.pub file into the $HOME/.ssh folder of the
remote machine.
- On each remote machine, go into the $HOME/.ssh folder and issue the following command:
cat mykey.pub >> authorized_keys
This basically appends the key into the authorized_keys file, which tells the SSH program who
is allowed to log in based on key-pairings.
- Finally, delete mykey.pub on the remote machine so that you don't have old junk lying around.
So, for example, if you want to connect to your MSDL machine and a machine in Trottier from the
your home computer, you generate ONE key pairing on your home computer, copy the SAME public key
from your home computer to ONE of the machines in MSDL and ONE of the machines Trottier. Now you
can SSH from home into MSDL or Trottier without hassle. But why only ONE machine in MSDL/Trottier?
The neat thing about your filesystem in Trottier (and also in MSDL) is that it is mounted from a
central server. This means that no matter what computer you log into in these areas, your home folder
will contain they same .ssh folder with the same private/authorized keys.
Now back to the example. Suppose I also want to log in from MSDL into Trottier. I would generate a
new key-pairing on my MSDL machine and append the public key of my MSDL machine into the
authorized_keys file on my Trottier account. Now my Trottier account should have two public keys in
its authorized_keys file, one from my home computer and another from my MSDL machine.
Now, if you want to SSH between computers in Trottier, you don't have to generate a new key-pairing
for each machine. Because the filesystem is mounted, you can go to any machine, generate a key-pair,
and on the same machine, add the public key to the authorized_keys file. This is because when you
try to SSH into another Trottier machine from your current Trottier machine, you will send your
private key with your SSH request. Within the same account, SSH will match your private key with a
public key in the authorized_keys file (which is also on the same account), and your are granted
access.
BEWARE, if you issue the command
ssh-keygen
and overwrite your key-pairing on some machine A, you will have to go and modify all the
authorized_keys files on ALL remote machines that A connects to.
|