Monday, January 22, 2007

SSH Public Key Authentication

SSH Public Key Authentication
(password-less SSH authentication on *nix systems)

Its a pain to enter in passwords all day. If you are like me and have a dozen or more machines and accounts to maintain, password management gets ridiculous. A great solution is public key authentication. You create a public key and a private key on a client machine, and distribute the public key to the various accounts and servers you need to access. The public key identifies you, and your private key verifies your identity. You only create your key pair once, and place your public key on all the servers you want to configure for password-less login. If you do create another new key pair on the local machine, you will again have to follow the steps for configuring the remote machines.

Keep in mind, the idea is to have a key pair for a specific local account on a specific machine. If you want to be able to use password-less login from another machine, you should create a new key pair on that machine. DON'T simply copy your key pair to another machine.

Public key authentication also makes scripted remote management possible, but thats beyond the scope of this mini-article. So let's begin:

On Local/Client Machine
# Create .ssh directory unless it already exists
mkdir ~/.ssh
cd ~/.ssh

# Create your keypair. Specifying a password will protect your private key even if the private key file is compromised. Remember, the private key file identifies you, and if that file is compromised, the server is compromised as well. Regardless of password security, set secure permissions for this file.
ssh-keygen -t dsa
chmod 600 id_dsa

# Copy your public key to the server, specifically your remote user's home directory.

# Now login to the remote machine via ssh

On Remote/Server Machine
# Create the .ssh directory unless it exists
mkdir ~/.ssh
cd ~/.ssh

# Create the authorized key file unless it already exists
touch authorized_keys2
chmod 600 authorized_keys2

# Append your public key to the authorized key file. Directly editing the key file is generally a bad idea. Then delete the public key file you copied to this machine.
cat ~/ >> authorized_keys2
rm ~/

You may now logout, and log back in. This time you should be automatically logged in without a password prompt.

If you mess up, or your private key is compromised, there is a small amount of cleanup involved. On each of the configured servers, delete the line in the authorized_keys2 file that corresponds to your public key, and delete your local key pair as well. You can then start over.

No comments: