• SshKeysHowto

SSH keys howto

This page describes how to log in via SSH and don't wan't to type their password everytime. Authentification is done through a system of public/private keys.

The commands given below have to be run in a Bash shell (under Windows/Cygwin or Linux). It is assumed that you have installed the ssh package on your local machine.

Creating your personal keys

This has to be done only once.

On your local machine, just type:

ssh-keygen

Accept the default for the location of the file location. Choose a passphrase to protect your key; if you choose an empty passphrase, anybody who has access to your private key file (see below) can log into your remote accounts. You can use an SSH agent to avoid the hassle of typing the passphrase every time you log in (GNOME provides an SSH agent by default).

This should have created two files in the ~/.ssh directory:

• id_rsa.pub: it contains the public part of your key. This file can be made public. It should contain a single line beginning with ssh-rsa.

• id_rsa: it contains the private part of your key. The content of this file has to be kept secret. Anybody having access to this file could break through your personal accounts which have been configured as described below.

Configuring remote hosts

The following procedure has to be repeated on every remote host you'd like to connect to with your key.

Suppose you have an account user on machine hostname.

Log in:

ssh user@hostname

On the remote machine, edit the file ~/.ssh/authorized_keys (create it if it doesn't exist). With emacs, you would type:

emacs ~/.ssh/authorized_keys

With a simple copy/paste, just add the content of the file id_rsa.pub (your public key, beginning with ssh-rsa) at the end of the authorized_keys file. Save and exit. Log out.

You should now be able to log into the remote machine with your key: it will ask for your passphrase the first time; if you have an SSH agent, the passphrase will be kept in memory for subsequent logins.

Note: it is possible to put several keys in the authorized_keys file, one key per line. All keys will be granted access without password. This can be useful if several people share the same account (such as the dynare account on the Dynare workstation), or if you use several keys for yourself (for example if you have several personal workstations).

Note 2: if your private key gets compromised, you should immediately delete its public counterpart in the authorized_keys files you've put it in (otherwise your accounts can be compromised too!). You should then stop to use this keys, and create new ones.