Using SSH-keys to connect to a server – Putty,Solaris,Linux

2010-05-27 5 min read Linux

Generating the ssh dsa  keys

ssh-keygen -b 1024 -t dsa
When this command is executed on your local machine, it will ask you for a passphrase and generate
a 1024 bit long (-b 1024) public/private dsa (-t dsa) key pair with the ssh-keygen command.
You can also create a rsa key (-t rsa).
You can leave out the bit length parameter (default bit length is 1024).

In case you don’t like the standard key name you can specify a name using the -f name parameter.
In the process you are asked for a place to save your keys. I kept the standard path. Then you are asked for a passphrase.
Now there are two paths which you can follow :
a) the short, easy but insecure way: use no passphrase, have easy access to your remote-server, feel paranoid about someone stealing your private key
b) the a bit longer, slightly less comfortable but secure way: use a passphrase, use ssh-agent and feel safe

Copy your public key to the remote server

scp .ssh/id_dsa.pub amit@amit-agarwal.co.in:

Copy the public key (id_dsa.pub) to your remote server via scp (note the : at the end of the server address. That way the file actually ends up in our server home directory but you can specify another path if you like.
Step 2+3 – The easy way

ssh-copy-id -i .ssh/id_dsa.pub amit@amit-agarwal.co.in

DONE!

NOTE: that as the username on both machines is the same you can omit it in the command (i.e. amit-agarwal.co.in instead of amit@amit-agarwal.co.in).

Login to the remote computer and put your key into the right place {SAME for path A and B}

ssh amit-agarwal.co.in

mkdir .ssh/
cat id_dsa.pub » .ssh/authorized_keys
rm id_dsa.pub
**chmod 700 .ssh
chmod 600 .ssh/authorized_keys
**

..path b continues…

Now what makes this path almost as easy as a no-passphrase key? The magic word is ssh-agent.. What it does is basically asking you once every session for the passphrase of your private key and every time you would have to type it in, ssh-agent does it for you. ssh-agent is included in the openssh package so no trouble there…

ssh-agent

When you run ssh-agent it will print out what environment variables it would use… Well to make ssh-agent use these variables run

eval `ssh-agent`

The process id will vary for you of course. Adding eval `ssh-agent` to your .bashrc is an option so it’s started every time you create a new shell.
Now that the ssh-agent is running, we need to tell it that we have a private key and where that is.

ssh-add .ssh/id_dsa

We were asked for our passphrase, entered it, that’s all. Now you can login to your remote server without having to enter your password while your private key is password-protected. Sweet isn’t it? The only downside is that a new instance of ssh-agent needs to be created for every new console (shell) you open, that means you have to run ssh-add every time again on each console. There is a workaround to that with a program or rather a script called keychain which is covered in the next section.

Using keychain

Keychain manages one or more specified private keys. When initialized it will ask for the passphrase for the private key(s) and store it. That way your private key is password protected but you won’t have to enter your password over and over again.

Install keychain from the extra repo:

# pacman -S keychain

Edit your ~/.bashrc and add the following lines:

**/usr/bin/keychain -Q -q ~/.ssh/id_dsa
[[ -f $HOME/.keychain/$HOSTNAME-sh ]] && source $HOME/.keychain/$HOSTNAME-sh
**
If necessary, replace ~/.ssh/id_dsa with ~/.ssh/id_rsa. For those using a non-Bash shell, see keychain –help or man keychain for details on other shells.

Close your shell and open it again. Keychain should come up and if it’s your first run it will ask your for the passphrase of the specified private key.

Using ssh-agent and x11-ssh-askpass

You need to start the ssh-agent everytime you start a new Xsession. The ssh-agent will be closed when the X session ends.
Install x11-ssh-askpass which will ask your passphrase everytime you open a new Xsession:
sudo pacman -S x11-ssh-askpass

Prepend this into your ~/.xsession :

eval `/usr/bin/ssh-agent`
SSH_ASKPASS=/usr/lib/openssh/x11-ssh-askpass ssh-add < /dev/null
# then the end of the file with for example &#8221;exec dwm&#8221;

SSH connection control

In ~/.ssh/config, add the following lines:

host *
controlmaster auto
controlpath /tmp/ssh-%r@%h:%p

What this does is set a &#8221;master control&#8221; socket when you make an SSH connection. The socket is named based on the controlpath setting (%r = username, %h = hostname, %p = port).

This master socket is used for each successive connection after the first, as long as one connection still exists. That is, if you connect via ssh myuser@myhost.com, a socket named /tmp/ssh-myuser@myhost.com:22 is created. If you then ssh again to the same host, the socket is found and the remote ssh session is told to spawn a new shell. This shell does not require a login, and spawns immediately, as you&#8217;re already logged in.

PuTTY

The above procedure is a bit complicated when using PuTTY on Windows since PuTTY can&#8217;t directly use keys generated by ssh-keygen. The private key needs to be converted using PuTTYgen which you can find here. The procedure is then as follows:

  1. Generate the key pair with ssh-keygen on you Linux computer (you can log in with your usual username/password using PuTTY)
  2. Add the public key to the ~/.ssh/authorized_keys file
  3. Move the private key to the Windows machine
  4. Load the private key with PuTTYgen and click Save private key. This will convert the key so that PuTTY can use it.
  5. Start PuTTY, go to SSH->Auth and find the private key. Then simply connect to your Linux machine. You will be prompted for your username and passphrase (if you chose to enter one when you generated the keys).

Note that reversing the procedure, that is, generating the key pair with PuTTYgen and converting the public key with ssh-keygen, will NOT work.

comments powered by Disqus