This is a small guide to configure SSH client for public key authentication.
After following this guide you will be able to securely connect to your server without having to enter a password.
Create an SSH key
Copy the SSH public key to the server
Configure the client
Setting up SSH Agent
Public key authentication uses cryptographic key pairs to create a secure exchange of credentials between the client and the server. First, we need to create a key pair using the
ssh-keygen command. You will be asked to enter a passphrase: a passphrase is like a password, but it’s supposed to be longer and more secure. A good way to create a passphrase is illustrated by an XKCD comics, from which this passphrase generator was made.
For example (do not reuse this!) we can use: SEAT-MIRROR-merely-MOVE
ssh-keygen -t ed25519
It will create two files:
~/.ssh/id_ed25519 (the private key)
~/.ssh/id_ed25519.pub (the public key)
ssh-copy-id is used to copy the public key to the server. It will create on the server the file ~/.ssh/authorized_keys with your public key. The command ensures the path is created with the right permissions and the file contains the public key.
The command goes as follow, ssh-copy-id -i source file destination address (the address of your server)
ssh-copy-id -i ~/.ssh/id_ed25519 email@example.com.XXX
You will be asked for the user’s password. Next time you login, you can use the key…
Now, in order to avoid having to pass options on the command line, we can use a configuration file that will contain all options we want, and end up typing
ssh myold.computer to connect to the server. For this you need to create on the client (the computer you are using to connect to the server), a specific configuration file
The configuration file is located at ~/.ssh/config
Let’s edit this file and put:
Host myold.computer HostName myold.computer User how IdentityFile ~/.ssh/id_ed25519 Port 45535 LogLevel INFO ProxyCommand none
Let’s break it down:
The first line defines the hostname. If you name it foo, you can run
ssh footo activate this configuration options
The second line defines the actual DNS hostname or specific IP address by which the host is known on the internet (or on the local area network).
The third line defines your username (mine is how, you should change this to your own login).
The IdentityFile line defines the path where the private key is located. Here the tilde (~) means the path to your $HOME folder.
The Port line defines the SSH port on the server, by default 22.
LogLevel INFO will give just enough information to know the connection is working or not. You may want to try DEBUG to see what is exactly happening between the client and the server, talking back and forth.
ProxyCommand none tells SSH to ignore any configured proxy (a service that routes the connection through specific machines on your behalf) and directly connect from your IP address to the server’s IP address. In our case it’s fine, but if you want to hide your IP address from the server you might want to read the SSH manual (by running: man ssh) to learn more about this command. Usually you can ignore it.
Here, ~/.ssh/config is ready, you can run
ssh myold.computer and it will use this configuration.
The ssh command will ask you for a passphrase: this is not your regular user password, but the passphrase we generated in the first step, assigned to the SSH key itself.
Now, typing a passphrase instead of a password at each connectoin is not very practical. Fortunately we can use the SSH Agent to keep the passphrase for us and connect without having to type the passphrase each time.
ssh-agent command is a program that securely holds credentials for you, enabling you to send SSH commands (including
scp to copy files and
sftp for multiple file transfer, and other commands that may be used across the secure shell). We need one SSH Agent running on our behalf. Usually we start it with our windowing system (the desktop environment).
eval $(ssh-agent -s)
Will set, e.g.,:
SSH_AUTH_SOCK=/tmp/ssh-XXXXXXamIDfb/agent.2634; export SSH_AUTH_SOCK; SSH_AGENT_PID=2635; export SSH_AGENT_PID; echo Agent pid 2635;
Once the agent is started we can add keys to it using the
Enter the key’s passphrase, and you’re done. Now you can type:
ssh myold.computer and bam! here comes the remote shell.
YMMV depending on your desktop. I start mine with
exec startx, so I can use the
~/.xinitrc file to start my desktop configuration. Here is the last line of this file on my computer:
exec dbus-launch --sh-syntax --exit-with-session ssh-agent awesome
It tells X11 to start the
awesome tiling window manager executed in the context of the
ssh-agent so that every program launched from the desktop can benefit from it. E.g., if you open a terminal, and have keys into your agent, you can use them without a password.