SSH How to   
Home
Customization How To
Latex How To
SSH How to
SVN How to
Manage
   

SSH How to

If you use SSH a lot (whether you SSH into a school machine or even use SSH with SVN), you must to set your public/private keys up so that you never have to enter your password again. I find it much more secure than your password because so long as you keep your private key private, you never have to worry. And how many times have you typed the wrong password because you tried to type it fast while your group partner blinked and maybe missed what you typed?!?!?! Not to mention, if you use SCP, you won't be prompted for a password and the biggest benefit, if you followed my SVN How-to, this will ease your checking in and out from the repository.

The way these keys work is that they come in pairs. You can give your public key to anyone you want, but if they don't have your private key, they can't gain access to anything. So you should do this for any computer on which you use SSH. The keys are specific to user and machine, so if you want to SSH from your home desktop and your laptop to your MSDL machine, you must make two different keys, one on your desktop and another on your laptop. If you have two different users on your home desktop that want to SSH into an MSDL machine, you must make a key-pair for each user. Here are the steps to follow:

  • Log into the machine you SSH from.
  • Issue the following command:

    ssh-keygen

    The default encryption is RSA (which is apparently, but disputed, better than DSA). The default settings are good enough for tough security.
  • Next you will be prompted for a file name to store the private key. Since each user on each machine will generate one pair only, use the default file name (id_rsa).
  • Next you will be prompted for a passphrase. Just press enter (i.e. leave it blank) so you never have to enter anything and you just log in.
  • Confirm your blank passphrase by pressing enter again.
Now you should have two new files in your $HOME/.ssh folder, one called id_rsa and another called id_rsa.pub. id_rsa is your private key and you should protect it with your life. You must leave this file in the $HOME/.ssh folder since this is the place the SSH program looks for the private key. Now for the id_rsa.pub file, this contains your public key and you can do whatever you want it (don't go posting it on the web, but you could if you really want to). But before you do whatever you want with it, you must do the following steps in order to complete the key-pairing:
  • Copy the id_rsa.pub file to mykey.pub (in case the remote machine already has an id_rsa.pub file in your $HOME/.ssh folder).
  • Now scp mykey.pub to the remote machine(s) you want to connect to without using your password with the following command:

    scp mykey.pub username@some.machine.cs.mcgill.ca:.ssh/

    The ".ssh/" after the ":" will directly scp the mykey.pub file into the $HOME/.ssh folder of the remote machine.
  • On each remote machine, go into the $HOME/.ssh folder and issue the following command:

    cat mykey.pub >> authorized_keys

    This basically appends the key into the authorized_keys file, which tells the SSH program who is allowed to log in based on key-pairings.
  • Finally, delete mykey.pub on the remote machine so that you don't have old junk lying around.
So, for example, if you want to connect to your MSDL machine and a machine in Trottier from the your home computer, you generate ONE key pairing on your home computer, copy the SAME public key from your home computer to ONE of the machines in MSDL and ONE of the machines Trottier. Now you can SSH from home into MSDL or Trottier without hassle. But why only ONE machine in MSDL/Trottier?

The neat thing about your filesystem in Trottier (and also in MSDL) is that it is mounted from a central server. This means that no matter what computer you log into in these areas, your home folder will contain they same .ssh folder with the same private/authorized keys.

Now back to the example. Suppose I also want to log in from MSDL into Trottier. I would generate a new key-pairing on my MSDL machine and append the public key of my MSDL machine into the authorized_keys file on my Trottier account. Now my Trottier account should have two public keys in its authorized_keys file, one from my home computer and another from my MSDL machine.

Now, if you want to SSH between computers in Trottier, you don't have to generate a new key-pairing for each machine. Because the filesystem is mounted, you can go to any machine, generate a key-pair, and on the same machine, add the public key to the authorized_keys file. This is because when you try to SSH into another Trottier machine from your current Trottier machine, you will send your private key with your SSH request. Within the same account, SSH will match your private key with a public key in the authorized_keys file (which is also on the same account), and your are granted access.

BEWARE, if you issue the command

ssh-keygen

and overwrite your key-pairing on some machine A, you will have to go and modify all the authorized_keys files on ALL remote machines that A connects to.

Maintained by Reehan Shaikh. Last Modified: 2008/09/15 01:07:51.