This site will look much better in a browser that supports web standards, but is accessible to any browser or Internet device.

Anomaly ~ G. Wade Johnson Anomaly Home G. Wade Home

September 18, 2014

Novice Example: Public Key Access

In the last post, we had begun streamlining novice Ned's problem. Our current solution has some problems. The most annoying is the need to type a password for each server that we are going to write to.

High-level Description

We are using scp to do the copy, so the login is controlled by the SSH system. SSH supports using public keys to log in to a system. Ned will need to check with the appropriate people to be sure there is no policy preventing using public keys for access. This process requires several steps.

  • Create a public/private key pair on your local system.
  • Copy the public key to the remote system's authorized_keys file.
  • Verify and correct file permissions.

Before accessing the remote machines, you will need to execute ssh-agent and add your key to the agent. Now, every attempt to access a remote host will attempt to use your key to log you in.

Creating a Key

You generate keys for SSH using the program ssh-keygen. You may want to check with your sysadmins or security group to learn if there is any company standard for keys, otherwise just running the command will pick reasonable defaults. Make certain to provide a good passphrase when asked. Anyone with this passphrase can use your key to impersonate you on any system that you can log into.

The ssh-keygen program should generate a pair of files in the .ssh directory under your home directory. One of those files will have a .pub extension. That is the public key. The same filename without the extension is your private key. You should make certain that the private key stays on your machine and that you don't give it to anyone.

You should make certain that the directory and any files in it are only readable and writable by you.

Using ssh-agent

Depending on the how your current machine is set up, ssh-agent may or may not already be running.

If it's already running, you can skip to the next step. If you need to run ssh-agent, you still need to do a bit more. The ssh-agent program sets some environment variables needed to do its job. The easiest way to get it set up
is to execute:


     eval `ssh-agent`

This adds the correct variables to the current shell instance.

Adding Keys

You tell ssh-agent about the keys you want to manage with the ssh-add command. If you kept the default file name in _Creating a Key_ above, you can just execute ssh-add. If you changed the name, you will need to execute:


    ssh-add ~/.ssh/{private_key_name}

The ssh-add program will request your passphrase at this point to add the key to the agent. Afterwards (until the next time ssh-agent is restarted), ssh will get the keys from ssh-agent without asking for your passphrase.

Authorized Keys

In order to use the public key login, you need to add your public key to the .ssh/authorized_keys file on the remote machine. The simplest approach for this is


    ssh-copy-id -i ~/.ssh/{private_key_name} user@remote_machine

If your system does not have ssh-copy-id script, you will need to modify the authorized_keys file on the remote server. Instructions for that are available in many places on-line.

It's probably a good idea to make certain that the .ssh directory and the authorized_keys file on the remote server are only readable and writable by the remote account.

Attempt to SSH into the remote server and you'll find that no password or passphrase is needed.

Lather, Rinse, Repeat

Modify the authorized_keys as described above for each of the remote machines you need to access. Although it seems like a lot of work, this will be the last time you need to make this change for each of the remote servers.

If a new server is added to your responsibility, add you key to the authorized_keys file for the new server and you are ready to go.

Conclusion

When you are finished, you can run the script from the last post and all of the scp commands automatically log in to the remote servers.

There is more that could be done to improve the script from before, but that is left as an exercise to the reader (for now).

Posted by GWade at September 18, 2014 03:25 PM. Email comments