public/private key SSH on ubuntu
Here are a few notes I made when changing SSH acces for an ubuntu server over to using public/private key authentication. These instructions are for commands run on the server to generate keys which are then used to access that same server from elsewhere.
On the whole the process was exactly as straightforward as you’d think, which was nice. The users followed these steps:
1. Generate keys
The user access the server using SSH (still set up with passwords at this point) and runs the following command to generate keys:
ssh-keygen
We accepted the defaults for both the filename (id_rsa) and left the passphrase empty. Empty passphrases aren’t recommended but there will be automated processes using these keys.
2. Set up to accept
For an SSH server to authorise a user, it must havethe contents of that user’s public key in a file called authorized_keys. The user then comes along with their private key and can then gain access. We put the contents of the public key into the authorized_keys file (which doesn’t currently exist for these users).
cat id_rsa.pub > authorized_keys
3. Log in with public key
The users copied their private keys to their local machines and set up their various ssh clients to use these to gain access. For ssh-ing in from another server (and setting up with some of the clients), its the ssh command as usual but with the -i switch to denote the use of a specified identity file, e.g.:
ssh -i id_rsa user@host
4. Force this to be the only means of access
I had some trouble figuring out which line I needed to change in the openssh config file (at /etc/ssh/sshd_config for me running ubuntu edgy) but in the event, this did the trick:
PasswordAuthentication no
That’s it for today, hope this helps someone … including me next time I want to do something similar :)
I tried the ssh-keygen and it ask for options …i did not see any key generated…
ssh-keygen (options)..
any idea which options I need to pick and how to load it , thanks a lot.
mazzeo, you will get prompted for a file name – I usually just accept the default of id_rsa, but you can put any name you like in (useful if you are going to have more than one key).
Then the ssh-keygen program will prompt you to enter a passphrase – it is more secure to enter a passphrase that you will use along with your key to access a server over SSH. However in my example I left the passphrase blank (just press return) since the machine will be using this key unsupervised.
Hope that helps!
In step 2, you may find it better to use ‘>>’ instead of ‘>’ to add the key to an authorized_keys file, to avoid over-writing a key which may already be there (if you use ‘>>’ then you will append to the contents of the file, instead of ‘>’ which replaces the contents of the file)
Well, for all that were facing the options list – there should be ssh-keygen -t rsa for generating rsa key pair. The ssh-keygen only lists usage and quits.