SSH can utilize public key encryption to authenticate and authorize users. This can be considered more secure especially if you secure your private key with a pass-phrase. The keys themselves are not susceptible to brute force attacks like normal passwords over SSH are.
Create and store the key pair
The first step is to generate a key which will create two files filled with long strings of characters. A public key file that you may distribute to any machine you want to use it on and a private key that needs to be kept secure. Allowing anyone to read this private key will compromise the security of the key and could allow someone to access any resources secured by this key without your consent.
There are a number of different key types but
rsa is the most compatible. You can run the command
ssh-keygen -t rsa to generate the new public and private key. It will prompt you for a file to create the private key and then for the public key append
.pub extension and store it in the same directory. Pressing enter at the passphrase step twice will create a key without a pass-phrase.
-bash-4.2$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/derek/.ssh/id_rsa): Created directory '/home/derek/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/derek/.ssh/id_rsa. Your public key has been saved in /home/derek/.ssh/id_rsa.pub. The key fingerprint is: 32:bf:db:74:1b:7e:d7:c6:4b:b5:6f:a8:82:55:3f:bf firstname.lastname@example.org The key's randomart image is: +--[ RSA 2048]----+ | | | | | | | . | | o S . . .| | + . o o| | .o. o B.| | .+.o o+ O| | o...+o E+| +-----------------+
Copy the public key
Once you have a generated a key pair you will want to add it to one or more computers to allow you to access them. This can be done with the
ssh-copy-id command and it will prompt you the first time for your current password (NOT your pass-phrase). You can replace localhost with any other hostname you want to copy the key to. You can also specify a alternate user or identity file if you need to, please
man ssh-copy-id for more information within your terminal. This command will ensure that not only it copies your key but secures the file so that no one can tamper and add additional authorized keys to the file on the remote host.
-bash-4.2$ ssh-copy-id localhost /bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys derek@localhost's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'localhost'" and check to make sure that only the key(s) you wanted were added.
Our Torque clusters process jobs in batch and require the ability to ssh without entering a password. You can simplify the existing example above by telling it you do not want a pass-phrase and can run the command
ssh-keygen -t rsa -N "". After creating this key pair please make sure you follow the copy the public key instructions above to localhost. This will ensure that your key will be useable on all the cluster nodes since they have a shared home directory.
-bash-4.2$ ssh-keygen -t rsa -N "" Generating public/private rsa key pair. Enter file in which to save the key (/home/derek/.ssh/id_rsa): Created directory '/home/derek/.ssh'. Your identification has been saved in /home/derek/.ssh/id_rsa. Your public key has been saved in /home/derek/.ssh/id_rsa.pub. The key fingerprint is: ff:7a:99:28:fc:63:d6:10:44:4c:2e:68:76:44:76:7a email@example.com The key's randomart image is: +--[ RSA 2048]----+ | .+++ | | + +o | | + +.E | | o . o. | | S . | | .. | | . .+ o | | o =.= | | =o+. | +-----------------+
# ssh-agent [SHELL] # ssh-add -t [TIME]
In this case, "[SHELL]" is your preferred shell and "[TIME]" is the amount of time you'd like the key to be active in seconds. So, the following would start a bash shell with passwordless ssh active for 30 minutes:
# ssh-agent bash # ssh-add -t 1800
You will be prompted for your passphrase and, when entered correctly, you will be able to ssh without entering a password.
To disable this functionality, simply delete your private key file (~/.ssh/id_rsa) and remove the public key from your ~/.ssh/authorized_keys2 file.