SSH Keys 101

If you have a centralized server where you manage many remote servers on you will most likely want to setup ssh keys so that you would not have to type in your password everytime.

ssh comes with many utilities to generate handle and manage keys. this article will talk mainly about ssh-keygen, ssh-agent, ssh-copy-id, and ssh-add.

Lets say you want to generate your keys you will issue ssh-keygen which will default to rsa or you can specify dsa by typing ssh-keygen -t dsa. It will prompt you for a passphrase to use. You will always want to select a passphase so that it adds added security into your environment. Normally I select a long sentence that is easy for me to remember. Once the key is generated it will create a .ssh directory in your home directory. It will also create id_rsa and id_rsa.pub.

id_rsa is your local keys and id_rsa.pub is what will need to be copied out to your remote servers.

You can manually copy out your id_rsa.pub to remote servers using scp or even ssh and copy and paste however ssh provides a nice utility called ssh-copy-id which automatically copys and sets ownership and permissions correctly for your ssh key. I will talk about this further down after setting up our passphrases.

So your ssh key is associated with a passphrase so that everytime you try to ssh using your keys it will prompt you for your passphrase. This almost makes the whole ssh-key useless since you wanted an automated method of sshing to a server without being prompted. this is where ssh-agent and ssh-add comes into play. I use bash for my shell and I’ve added the following to my .bash_profile so that ssh-agent runs when I log in

if [ -z "$SSH_AUTH_SOCK" -a -x "$SSHAGENT" ]; then
trap "kill $SSH_AGENT_PID" 0

This will run your ssh-agent everytime you log into your management server. Once logged in you will want to add your passphrase so that it will be “cached” so that you wouldn’t be prompted for your passphrase everytime you try to ssh to a remote server. To do this you will use the ssh-add command

$ ssh-add
Enter passphrase for /home/user/.ssh/id_rsa: ((your passphrase))
Identity added: /home/user/.ssh/id_rsa

now when you ssh to your remote servers you will not be prompted for your passphrase for the duration of your current session.

So far we’ve created our ssh keys and setup our ssh-agent and added a way not to be prompted for our passphrases everytime we use ssh. Now to copy over our keys.
You can easily scp or ssh and copy and pasting your keys to remote servers but why not use a tool that came with ssh ? its called ssh-copy-id and we can copy over our keys as :

ssh-copy-id -i ~/.ssh/id_rsa.pub user@remotehost

I usually have a long list of servers that I want to export my keys so I have a text file of the servers and run it against a loop with the ssh-copy-id command to send it out to all of the remote hosts. During the ssh-copy-id you will be prompted for your password since the key is not out there yet however once ssh-copy-id is complete it will copy your id_rsa.pub as authorized_keys and setup correct ownership and permissions. If your copying your keys to another user id on the remote host it will not only copy it but append to it so that it wouldn’t overwrite others keys.


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.