Generating RSA Keys
The first step involves creating a set of RSA keys for use in authentication.
This should be done on the client.
To create your public and private SSH keys on the command-line:
mkdir ~/.ssh chmod 700 ~/.ssh ssh-keygen -t rsa
You will be prompted for a location to save the keys, and a passphrase for the keys. This passphrase will protect your private key while it’s stored on the hard drive:
Generating public/private rsa key pair. Enter file in which to save the key (/home/b/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/b/.ssh/id_rsa. Your public key has been saved in /home/b/.ssh/id_rsa.pub.
Your public key is now available as .ssh/id_rsa.pub in your home folder.
Congratulations! You now have a set of keys. Now it’s time to make your systems allow you to login with them.
Transfer Client Key to Host
The key you need to transfer to the host is the public one. If you can log in to a computer over SSH using a password, you can transfer your RSA key by doing the following from your own computer:
ssh-copy-id <username>@<host>
Where <username> and <host> should be replaced by your username and the name of the computer you’re transferring your key to.
Due to this bug, you cannot specify a port other than the standard port 22. You can work around this by issuing the command like this: ssh-copy-id "<username>@<host> -p <port_nr>". If you are using the standard port 22, you can ignore this tip.
Another alternative is to copy the public key file to the server and concatenate it onto the authorized_keys file manually. It is wise to back that up first:
cp authorized_keys authorized_keys_Backup cat id_rsa.pub >> authorized_keys
You can make sure this worked by doing:
ssh <username>@<host>
You should be prompted for the passphrase for your key:
Enter passphrase for key ‘/home/<user>/.ssh/id_rsa’: |
Enter your passphrase, and provided host is configured to allow key-based logins, you should then be logged in as usual.
Advance:
- To change your private rsa key’s password:
ssh-keygen -p -f ~/.ssh/id_rsa
then provide your old and new passphrase (twice) at the prompts. (Use ~/.ssh/id_rsa
if you have an RSA key.)
2. Don’t just use the same key across all machines and users. Generate each user on each machine (that needs to do this kind of thing) its own key pair. This will let you keep fine grained control on what is able to ssh where.
3. When adding the key to your authorized_keys file, you can lock it down to only be able to run a specific command, or use it only from a specific host.
See man ssh
and search for command= and from=
The syntax is something like:
from=”1.2.3.4″,command=”/path/to/executable argument” ssh-rsa key name
i.e. pop ‘rsync’ in there and only ‘rsync’ could be called by your key, and only from the IP address 1.2.3.4. Multiple IPs can be separated by ,
. Host names are also supported.(you can change the name at last to anything you want)
4. Another thing that springs to mind is the ‘AllowUser’ directive in your sshd_config
AllowUsers
This keyword can be followed by a list of user name patterns, separated by spaces. If specified, login is allowed only for user names that match one of the patterns. ‘*’ and ‘?’ can be used as wildcards in the patterns. Only user names are valid; a numerical user ID is not recognized. By default, login is allowed for all users. If the pattern takes the form USER@HOST then USER and HOST are separately checked, restricting logins to particular users from particular hosts.