Generating and using SSH keys

From BNL Physics Computing

Contents 1 Outline 2 Generate the SSH key pairs 3 Protecting your private key 4 Propagating your public key yourself 4.1 Manual method 4.2 Automated method 5 Other ways of propagating your public key

Outline

The basic outline one must follow to set this up is:

1. Generate one or more public/private SSH2 key pairs
2. Propagate the public key to SSH servers

After this you likely should see the topic Simplifying SSH access using an agent.

Generate the SSH key pairs

To generate the key pairs the program ssh-keygen should be run on the workstation or laptop at which you normally sit. The example below illustrates the process:

prompt> ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/bviren/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/bviren/.ssh/id_rsa.
Your public key has been saved in /home/bviren/.ssh/id_rsa.pub.
The key fingerprint is:
f2:b5:27:f4:ea:cb:48:00:29:1a:72:00:b2:60:89:21 bviren@minos

The two files will be in

~/.ssh/id_rsa      (the private key)
~/.ssh/id_rsa.pub  (the public key)

Note:

• You must generate an SSH2 protocol key. Leaving off the -t flag will generate an SSH1 key.
• he example generates an SSH2 RSA key, one can optionally/additionally specify "-t dsa" and generate an SSH2 DSA key.

Protecting your private key

You private key is a machine readable metaphor for your identity. To protect your identity, protect your private key.

• Use a good passphrase. Don't choose a short password, choose

a phrase. This should be a long (40+) sentence or phrase and would best include a mix of different character classes. For example:

Enter passphrase (empty for no passphrase):
Teh qu!ck brown fox married me for my $$ but I still heart it?

• Never use a blank pass phrase

• Change the passphrase if you ever suspect it has been compromized. You can do this via:

ssh-keygen -p

• Avoid putting the private key on a multi user or untrusted system.

Propagating your public key yourself

Manual method

The final step is to tell remote systems that they should authorize access based on your private key. You do this by adding your public key to the ~/.ssh/authorized_keys file on the remote server.

To do this yourself you must obviously be able to log into the server by some mechanism other than SSH keys. If you can not, see the next section.

First copy your public key to the server:

scp .ssh/id_rsa.pub user@gateway.phy.bnl.gov:.ssh/

The log in to the server and add it to the authorized_keys file:

ssh user@gateway.phy.bnl.gov
...
cd .ssh

If the .ssh/ directory does not exist, simply make it:

mkdir .ssh
cd .ssh

Finally, append this public key to the authorized_keys file:

cat id_rsa.pub >> authorized_keys

Don't worry if the authorized_keys file does not exist, this command will create it.

Automated method

Some systems have the ssh-copy-id helper program that will do this. If you have this then instead of the above you can do:

ssh-copy-id -i ~/.ssh/id_rsa.pub user@gateway.phy.bnl.gov

Other ways of propagating your public key

If the above mechanism doesn't work you can try the following:

• Some gateways mount home directories form internal systems. If this is the case, you are onsite and can connect to the internal network then follow the above instructions but substitute your home directory server for "gateway.phy.bnl.gov".

• Try additional instructions for your gateway. A list of some are here.