Using SSH keys in Linux: Difference between revisions
(offer more explanations, but also emphasize ssh-copy-id. it appears the earlier version of this page may have focused on setting up ssh among VMs, so perhaps there should be a subordinate section that addresses those issues.) |
(Marked this version for translation) |
||
| Line 8: | Line 8: | ||
Before creating a new key pair, check to see if you already have one. If you do, but can't remember where you've used it, it's better to create a fresh one, since you shouldn't install a key of unknown security. | Before creating a new key pair, check to see if you already have one. If you do, but can't remember where you've used it, it's better to create a fresh one, since you shouldn't install a key of unknown security. | ||
<!--T:14--> | |||
Key pairs are typically located in the <code>.ssh/</code> directory in your home directory. By default, a key is named with an "id_" prefix, followed by the key type ("rsa", "dsa", "ed25519"), and the public key also has a ".pub" suffix. So a common example is <code>id_rsa</code> and <code>id_rsa.pub</code>. | Key pairs are typically located in the <code>.ssh/</code> directory in your home directory. By default, a key is named with an "id_" prefix, followed by the key type ("rsa", "dsa", "ed25519"), and the public key also has a ".pub" suffix. So a common example is <code>id_rsa</code> and <code>id_rsa.pub</code>. | ||
| Line 49: | Line 50: | ||
When prompted, enter a passphrase. If you already have key pairs saved with the default names, you may wish to enter a different file name for the new keys to avoid overwriting existing key pairs. | When prompted, enter a passphrase. If you already have key pairs saved with the default names, you may wish to enter a different file name for the new keys to avoid overwriting existing key pairs. | ||
=Installing the public part of the key= | =Installing the public part of the key= <!--T:15--> | ||
<!--T:16--> | |||
The simplest, safest way to install a key to a remote system is using the ssh-copy-id command: | The simplest, safest way to install a key to a remote system is using the ssh-copy-id command: | ||
<source lang="console"> | <source lang="console"> | ||
| Line 57: | Line 59: | ||
This assumes that the new keypair is named "mynewkey" and "mynewkey.pub", and that your username on the remote machine is the same as your local username. | This assumes that the new keypair is named "mynewkey" and "mynewkey.pub", and that your username on the remote machine is the same as your local username. | ||
<!--T:17--> | |||
If necessary, you can do this "manually" - in fact, ssh-copy-id isn't doing anything very magic. It's simply connecting to the remote machine, and placing the public key into <code>.ssh/authorized_keys</code> in your home directory there. The main benefit from using <code>ssh-copy-id</code> is that it will create files and directories if necessary, and will ensure that the permissions on them are correct. You can do it entirely yourself by copying the public key file to the remote server, then: | If necessary, you can do this "manually" - in fact, ssh-copy-id isn't doing anything very magic. It's simply connecting to the remote machine, and placing the public key into <code>.ssh/authorized_keys</code> in your home directory there. The main benefit from using <code>ssh-copy-id</code> is that it will create files and directories if necessary, and will ensure that the permissions on them are correct. You can do it entirely yourself by copying the public key file to the remote server, then: | ||
<code> | <code> | ||
| Line 72: | Line 75: | ||
Note that debugging the remote conditions may bot be obvious without the help of the remote machine's system administrators. | Note that debugging the remote conditions may bot be obvious without the help of the remote machine's system administrators. | ||
=Connecting using a key pair= | =Connecting using a key pair= <!--T:6--> | ||
<!--T:6--> | |||
<li>Finally test the new key by sshing to the remote machine from the local machine with | <li>Finally test the new key by sshing to the remote machine from the local machine with | ||
<source lang="console">[name@server]$ ssh -i /home/ubuntu/.ssh/id_rsa USERNAME@ADDRESS</source> | <source lang="console">[name@server]$ ssh -i /home/ubuntu/.ssh/id_rsa USERNAME@ADDRESS</source> | ||
Revision as of 19:34, 22 November 2019
Parent page: SSH
Creating a key pair
Before creating a new key pair, check to see if you already have one. If you do, but can't remember where you've used it, it's better to create a fresh one, since you shouldn't install a key of unknown security.
Key pairs are typically located in the .ssh/ directory in your home directory. By default, a key is named with an "id_" prefix, followed by the key type ("rsa", "dsa", "ed25519"), and the public key also has a ".pub" suffix. So a common example is id_rsa and id_rsa.pub.
If you do need a new key, you can generate it with the ssh-keygen command:
[name@server]$ ssh-keygen -b 2048 -t rsa
(this example explicitly asks for a 2kbit RSA key, which is a reasonable choice.)
The output will be similar to the following:
Generating public/private rsa key pair.
Enter file in which to save the key (/home/username/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/username/.ssh/id_rsa.
Your public key has been saved in /home/username/.ssh/id_rsa.pub.
The key fingerprint is:
ef:87:b5:b1:4d:7e:69:95:3f:62:f5:0d:c0:7b:f1:5e username@hostname
The key's randomart image is:
+--[ RSA 2048]----+
| |
| |
| . |
| o . |
| S o o.|
| . + +oE|
| .o O.oB|
| .. +oo+*|
| ... o..|
+-----------------+
When prompted, enter a passphrase. If you already have key pairs saved with the default names, you may wish to enter a different file name for the new keys to avoid overwriting existing key pairs.
Installing the public part of the key
The simplest, safest way to install a key to a remote system is using the ssh-copy-id command:
ssh-copy-id -i mynewkey graham.computecanada.ca:
This assumes that the new keypair is named "mynewkey" and "mynewkey.pub", and that your username on the remote machine is the same as your local username.
If necessary, you can do this "manually" - in fact, ssh-copy-id isn't doing anything very magic. It's simply connecting to the remote machine, and placing the public key into .ssh/authorized_keys in your home directory there. The main benefit from using ssh-copy-id is that it will create files and directories if necessary, and will ensure that the permissions on them are correct. You can do it entirely yourself by copying the public key file to the remote server, then:
mkdir ~/.ssh
cat id_rsa.pub >> ~/.ssh/authorized_keys
chmod --recursive go-rwx .ssh
chmod go-w ~
SSH is picky about permissions, on both the client and the server. SSH will fail if the following conditions are not met:
- The private key file must not be accessible to others.
chmod go-rwx id_rsa - Your remote home directory must not be writable by others
chmod go-w ~ - Same for your remote ~/.ssh and ~/.ssh/authorized_keys
chmod --recursive go-rwxw ~/.ssh
Note that debugging the remote conditions may bot be obvious without the help of the remote machine's system administrators.
Connecting using a key pair
[name@server]$ ssh -i /home/ubuntu/.ssh/id_rsa USERNAME@ADDRESS
where
/home/ubuntu/.ssh/id_rsaspecifies your private key file;USERNAMEis the user name on the remote machine;ADDRESSis the address of the remote machine.
If you have administrative access on the server and created the account for other users, they should test the connection out themselves and not disclose their private key.