[roger_smith]

It's that time again for another Linux Tips! In today's tip we're going to talk about ssh keys and using them for password-free logins. This tip requires a linux workstation (the system you're sitting at) and a destination system running linux as well (since we're using ssh here).

For starters, you need to generate an SSH key on your workstation. Each user on that system can have their own key. To do this, open a terminal as the user you want to setup the key for and run:

Code:

ssh-keygen

You can leave the passphrase blank for this exercise, and leave the rest of the settings default as well.

Once the key generation completes, you're halfway there.

The next step is to copy your newly generated SSH key to your destination server. This can be completed with the ssh-copy-id command. The command will look something like this:

Code:

user@localhost~$: ssh-copy-id username@remotehost.tld

So, what we see here is the user "user" on the local machine is running the ssh-copy-id command and passing username at the remote machine. These usernames do not need to match, so you could be "bob" on localhost, and "root" on remotehost.

once you run that command, you will be prompted for the REMOTE USERS password. Type the password, ssh-copy-id will work it's magic, and give you some output. Now, if you run ssh username@remotehost.tld, you can log in without being prompted for a password!

I hope this was helpful and interesting. You can use this knowledge to help harden ssh on your remote system by looking through the sshd_config files. Perhaps we'll discuss that in a future Linux Tips .

[Reiko]

This is one of my favorite features of OpenSSHd (and Dropbear).

For added security, if you're super paranoid, use these command lines for generating your keys

Code:

ssh-keygen -t ecdsa -b 521 # for newer SSH server/client, or
ssh-keygen -t rsa -b 4096 # for older SSH server/client

[Adorapuff]

Nice tutorial! Welcome to +Reverence!

[roger_smith]

Nice tutorial! Welcome to +Reverence!

Thanks for the kind words and admittance to the group! I honestly am not entirely sure what that means yet honestly, but I'm reading through some of the new things that suddenly showed up, lol.

Cheers

[Xeru]

So pretty much, ssh-copy-id will add the key to ~/.ssh/authorized_keys?
I usually just cat ~/.ssh/id_rsa.pub (or id_ecdsa.pub) and add it to remote server via "echo (key) > ~/.ssh/authorized_keys"

Never even knew of ssh-copy-id. Useful. Thank you!

[roger_smith]

So pretty much, ssh-copy-id will add the key to ~/.ssh/authorized_keys?
I usually just cat ~/.ssh/id_rsa.pub (or id_ecdsa.pub) and add it to remote server via "echo (key) > ~/.ssh/authorized_keys"

Never even knew of ssh-copy-id. Useful. Thank you!

Glad you found the tutorial useful .

ssh-copy-id takes all the manual work out of copying certs over

[Reiko]

So pretty much, ssh-copy-id will add the key to ~/.ssh/authorized_keys?
I usually just cat ~/.ssh/id_rsa.pub (or id_ecdsa.pub) and add it to remote server via "echo (key) > ~/.ssh/authorized_keys"

Never even knew of ssh-copy-id. Useful. Thank you!

Doing this on a server with a strange umask will leave you scratching your head. ssh-copy-id makes sure the permissions are correct on the authorized_keys file.

[Sans]

This is one of my favorite features of OpenSSHd (and Dropbear).

For added security, if you're super paranoid, use these command lines for generating your keys

Code:

ssh-keygen -t ecdsa -b 521 # for newer SSH server/client, or
ssh-keygen -t rsa -b 4096 # for older SSH server/client

ecdsa isnt recommended anymore, use ed25519 for new system

[Dismas]

For future reference, grave digging is against the rules.

His reply is fairly helpful, so it's not 100% gravedigging.

[meow]

Good ways to make SSH skid-proof other than key auth are -

• Pluggable authentication modules
  
• Making SSH listen on a port other than 22
  
• Disabling remote root logins (keep in mind that this doesn't restrict you/other people from using 'su root')
  
• Google's two-factor SSH authentication