Introduction & Description

Do not give out, store remotely or otherwise expose your private key to the outside world or you defeat the purpose entirely of using encrypted keys. Doing so is the equivalent to locking the door to your house and leaving the keys in the handle for anyone to use/take.

We’ll be using RSA in this example however, you’re perfectly welcome and able to use DSA if you so choose. The difference is RSA, by default, uses a 2048 bit key and canbe up to 4096 bits, while DSA keys must be exactly 1024 bits as specified by FIPS 186-2. It is recommended to use a 4096 bit key as a matter of habit in today’s world where personal and private digital security is often in question, never view yourself or your systems as invulnerable and always take the strongest precautions that are available to you.

With that said we’ll give the following command to create our public/private keypair:

Doing the Work

1. Create your public and private keypair using ssh-keygen:

(you will have a public key that you copy to the computers you’ll be accessing, and a private key that does not leave your system ever.)
cd ~/.ssh
ssh-keygen -t rsa -b 4096

Generating public/private rsa key pair. Enter file in which to save the key (/home/warren/.ssh/id_rsa): example_id_rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in example_id_rsa. Your public key has been saved in example_id_rsa.pub. The key fingerprint is: 80:b9:33:07:27:22:cb:5a:be:ae:07:d1:79:de:23:28 warren@quetzal The key's randomart image is: +--[ RSA 4096]----+ | | | o | |....= o | |ooo..= . | |.o.++.. S | |Eo. o+o | |.o. . . | | .. | |.+o | +-----------------+

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

Generating public/private rsa key pair. Enter file in which to save the key (/home/warren/.ssh/id_rsa): example_id_rsa Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in example_id_rsa. Your public key has been saved in example_id_rsa.pub. The key fingerprint is: 80:b9:33:07:27:22:cb:5a:be:ae:07:d1:79:de:23:28 warren@quetzal The key's randomart image is: +--[ RSA 4096]----+ |                 | |     o           | |....= o          | |ooo..= .         | |.o.++.. S        | |Eo. o+o          | |.o.  . .         | |  ..             | |.+o              | +-----------------+

Private Keyfile: example_id_rsa
Public Keyfile: example_id_rsa.pub

IMPORTANT: The .ssh directory must have a permission of 700 and the authorized_keys file within that directory must have a permission of 600 to work for passwordless entry (there will be a password for the key itself). To accomplish this give the following commands as the user you will be using to ssh with:

chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys

note: If you’re using a laptop which has the possibility of being lost or stolen or you’re using several systems, you may consider using separate public/private keypairs and simply update/add to the authorized_keys file on the target systems. Remember that the private key should never leave the machine it was created on. If the laptop is then lost or stolen you can simply remove the reference to the key on the target machines authorized_keys file. You’ll need to use a naming system that allows you to quickly identify which key belongs to which host(s) as well.

Here are some simple examples:

Enter file in which to save the key (/home/user/.ssh/id_rsa):
id_rsa.dev
id_rsa.laptop
id_rsa.desktop
id_rsa.work

2. Copy your ~/.ssh/example_id_rsa.pub on the local system to ~/.ssh/authorized_keys on the remote system ising ssh-copy-id:

[user@localhost .ssh]$ ssh-copy-id -i example_id_rsa.pub 192.168.0.2

Output:
user@192.168.0.2’s password:

Now try logging into the machine, with “ssh ‘192.168.0.2’”, and check in:
~/.ssh/authorized_keys
to make sure we haven’t added extra keys that you weren’t expecting.

3. Attempt to login

[user@localhost .ssh]$ ssh 192.168.0.2

Output:
Enter passphrase for key ‘/home/user/.ssh/example_id_rsa’:
Last login: Tue Mar 23 16:04:23 2010 from foo.comcast.net
[user@remotehost]$
4. Setting up ssh for automatic passwordless login with keys using ssh-agent and ssh-add:

add these lines at the bottom of your .bash_profile:
vi ~/.bash_profile

Output:
SSHAGENT=/usr/bin/ssh-agent
SSHAGENTARGS=”-s”
if [ -z “$SSH_AUTH_SOCK” -a -x “$SSHAGENT” ]; then
eval $SSHAGENT $SSHAGENTARGS
trap “kill $SSH_AGENT_PID” 0
fi

Next, logout/login or give the command:
source ~/.bash_profile

5. Add private key identity to the local authentication agent, so we don’t need to enter our password everytime.

[user@localhost ~]$ ssh-add
Enter passphrase for /home/user/.ssh/example_id_rsa:
Identity added: /home/user/.ssh/id_rsa (/home/user/.ssh/example_id_rsa)

6. Connect to the remote system

[user@localhost ~]$ ssh 192.168.0.2
Last login: Tue Mar 23 15:57:10 2010 from foo.comcast.net
[user@remotehost ~]$

Summary

You should now be able to use the above sequence to login passwordless to any system you’ve copied your example_id_rsa.pub / authorized_keys file to. Login, use the ssh-add command, give your passphrase once and you should be able to login passwordless. You will be added to the ssh-agent for the remainder of your session until you logout, you’ll need to re-verify your passphrase with each new login session. This verification is needed only on the first use after reboot to verify you are the owner of the key.