This is a small guide to configure SSH client for public key authentication.
After following this guide you will be able to securely connect to your server without having to enter a password.
Steps
-
Create an SSH key
-
Copy the SSH public key to the server
-
Configure the client
-
Connect!
-
Setting up SSH Agent
Create an SSH key
Public key authentication uses cryptographic key pairs to create a secure exchange of credentials between the client and the server. First, we need to create a key pair using the ssh-keygen
command. You will be asked to enter a passphrase: a passphrase is like a password, but it’s supposed to be longer and more secure. A good way to create a passphrase is illustrated by an XKCD comics, from which this passphrase generator was made.
For example (do not reuse this!) we can use: SEAT-MIRROR-merely-MOVE
ssh-keygen -t ed25519
It will create two files:
-
~/.ssh/id_ed25519 (the private key)
-
~/.ssh/id_ed25519.pub (the public key)
Copy the SSH public key to the server
The command ssh-copy-id
is used to copy the public key to the server. It will create on the server the file ~/.ssh/authorized_keys with your public key. The command ensures the path is created with the right permissions and the file contains the public key.
The command goes as follow, ssh-copy-id -i source file destination address (the address of your server)
ssh-copy-id -i ~/.ssh/id_ed25519 user@192.168.0.XXX
You will be asked for the user’s password. Next time you login, you can use the key…
Configure the client
Now, in order to avoid having to pass options on the command line, we can use a configuration file that will contain all options we want, and end up typing ssh myold.computer
to connect to the server. For this you need to create on the client (the computer you are using to connect to the server), a specific configuration file
The configuration file is located at ~/.ssh/config
Let’s edit this file and put:
Host myold.computer
HostName myold.computer
User how
IdentityFile ~/.ssh/id_ed25519
Port 45535
LogLevel INFO
ProxyCommand none
Let’s break it down:
-
The first line defines the hostname. If you name it foo, you can run
ssh foo
to activate this configuration options -
The second line defines the actual DNS hostname or specific IP address by which the host is known on the internet (or on the local area network).
-
The third line defines your username (mine is how, you should change this to your own login).
-
The IdentityFile line defines the path where the private key is located. Here the tilde (~) means the path to your $HOME folder.
-
The Port line defines the SSH port on the server, by default 22.
-
LogLevel INFO will give just enough information to know the connection is working or not. You may want to try DEBUG to see what is exactly happening between the client and the server, talking back and forth.
-
ProxyCommand none tells SSH to ignore any configured proxy (a service that routes the connection through specific machines on your behalf) and directly connect from your IP address to the server’s IP address. In our case it’s fine, but if you want to hide your IP address from the server you might want to read the SSH manual (by running: man ssh) to learn more about this command. Usually you can ignore it.
Connect!
Here, ~/.ssh/config is ready, you can run ssh myold.computer
and it will use this configuration.
The ssh command will ask you for a passphrase: this is not your regular user password, but the passphrase we generated in the first step, assigned to the SSH key itself.
Now, typing a passphrase instead of a password at each connectoin is not very practical. Fortunately we can use the SSH Agent to keep the passphrase for us and connect without having to type the passphrase each time.
Setup SSH Agent
The ssh-agent
command is a program that securely holds credentials for you, enabling you to send SSH commands (including scp
to copy files and sftp
for multiple file transfer, and other commands that may be used across the secure shell). We need one SSH Agent running on our behalf. Usually we start it with our windowing system (the desktop environment).
eval $(ssh-agent -s)
Will set, e.g.,:
SSH_AUTH_SOCK=/tmp/ssh-XXXXXXamIDfb/agent.2634; export SSH_AUTH_SOCK;
SSH_AGENT_PID=2635; export SSH_AGENT_PID;
echo Agent pid 2635;
Once the agent is started we can add keys to it using the ssh-add
command:
ssh-add ~/.ssh/id_ed25519
Enter the key’s passphrase, and you’re done. Now you can type: ssh myold.computer
and bam! here comes the remote shell.
Starting desktop session with ssh-agent
YMMV depending on your desktop. I start mine with exec startx
, so I can use the ~/.xinitrc
file to start my desktop configuration. Here is the last line of this file on my computer:
exec dbus-launch --sh-syntax --exit-with-session ssh-agent awesome
It tells X11 to start the awesome
tiling window manager executed in the context of the ssh-agent
so that every program launched from the desktop can benefit from it. E.g., if you open a terminal, and have keys into your agent, you can use them without a password.