By the end of this article you should be able to answer the following questions:
AnnouncementYou can find all my latest posts on medium.
[tom@LinuxA /]$ ssh linuxB
# you will then be prompted for password
[tom@LinuxA /]$ ssh jerry@linuxB
# you will then be prompted for password
- ~/.ssh/id_rsa # You can think of this file as a key. - ~/.ssh/id_rsa.pub # You can think of this file as a padlock.
[tom@LinuxA ~]$ ssh-copy-id jerry@LinuxB
[tom@LinuxA ~]$ ssh-agent bash
[tom@LinuxA ~]$ ssh-add # you’ll then be prompted to add it to cache
If you are logged into one linux machine (lets call it LinuxA), but you now want to connect to another Linux machine (lets call it LinuxB) from LinuxA, then it is possible to do this using the “ssh” command. Here’s an example of how this is done
[Tom@LinuxA /]$ ssh linuxB
When you use ssh, you need to log in as a user that already exists on LinuxB. In the above case you will get 2 prompts, the first to enter a LinuxB username, followed by that user account’s password. However you can reduce this to 1 prompt by specifying the username as part of the initial connection request:
[Tom@LinuxA /]$ ssh Jerry@linuxB
This time, you only get prompted once, which is to enter the password for user “Jerry”.
Here I am logged in as user “Tom” on LinuxA but when I ssh’d into LinuxB I assumed the identity of a user called “Jerry”. In order to establish the connection, I had to enter jerry’s password.
Once I have logged into LinuxB as the “Jerry” user, I can do anything i want on LinuxB as if you have logged into LinuxB directly as the “Jerry” user.
However it is also possible to suppress the password prompt request as well. This is done by setting up something that’s called private/public key authentication.
Private/public keys are essentially a pair of files that resides in the user’s home directory, in the .ssh folder. These 2 files are:
- ~/.ssh/id_rsa # You can think of this file as a key.
- ~/.ssh/id_rsa.pub # You can think of this file as a padlock.
If these files don’t exist, or in fact the .ssh folder itself doesn’t exist then it means that no public/private keys has not been created for this user yet. In which case you need to generate these keys.
Generate Private/Public Keys
To generate public/private keys you simply have to run the following command
This command will prompt you to enter some info, but you can simply hit return to all of them to accept the defaults.
Here’s what you’ll see happening when you run the command:
[tom@localhost ~]$ pwd /home/tom [tom@localhost ~]$ ls -la | grep .ssh [tom@localhost ~]$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/tom/.ssh/id_rsa): Created directory '/home/tom/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/tom/.ssh/id_rsa. Your public key has been saved in /home/tom/.ssh/id_rsa.pub. The key fingerprint is: 7e:78:9e:96:0b:94:d1:20:88:a2:b0:40:d4:92:2e:dc firstname.lastname@example.org The key's randomart image is: +--[ RSA 2048]----+ |ooo. .. . | |+o... . o | |*oo . . | |+o E o | |. S | | o . | | + o. | | =o. | | .+. | +-----------------+ [tom@localhost ~]$ ls -la | grep .ssh drwx------. 2 tom tom 36 Apr 6 13:55 .ssh [tom@localhost ~]$ cd .ssh/ [tom@localhost .ssh]$ ls -la total 12 drwx------. 2 tom tom 36 Apr 6 13:55 . drwx------. 6 tom tom 4096 Apr 6 13:55 .. -rw-------. 1 tom tom 1675 Apr 6 13:55 id_rsa -rw-r--r--. 1 tom tom 407 Apr 6 13:55 id_rsa.pub [tom@localhost .ssh]$
As you can see that this command created the .ssh folder, it then generated the id_rsa and id_rsa.pub keys and placed them in this folder.
Now we need to tell the “Jerry” user to accept the “id_rsa.pub” as an “authorised” padlock that a user (in this case Tom) is allowed to unlock (using the id_rsa file) in order to login as the Jerry user. This is done by updating the Jerry user’s authorized_keys file.
Adding the id_rsa.pub to the authorized_keys file using the ssh-copy-id command
We now need to make Jerry aware of the existence of the padlock (id_rsa.pub) as an authorised key that the Jerry user will publicly present this padlock to any incoming ssh requests. This is done by simply appending the id_rsa.pub file’s content’s to the Jerry user’s authorized_keys file, which resides in the Jerry user’s .ssh folder:
[jerry@localhost .ssh]$ pwd /home/jerry/.ssh [jerry@localhost .ssh]$ ls -l authorized_keys -rw-------. 1 jerry jerry 815 Apr 6 14:12 authorized_keys [jerry@localhost .ssh]$
Note, this file might not exist yet, in which case you can manually create this file and copy+paste the id_rsa.pub into it. However doing this manually is quite error prone, which is why there is the
ssh-copy-id command which is specifically used for this purpose. For example, here how to add Tom’s id_rsa.pub file’s content to Jerry’s authorized_keys file:
[tom@localhost ~]$ ssh-copy-id jerry@localhost /bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys jerry@localhost's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'jerry@localhost'" and check to make sure that only the key(s) you wanted were added. [tom@localhost ~]$
Note, this command does prompt you for Jerry’s password.
Now you can ssh without a password prompt:
[tom@localhost ~]$ ssh jerry@localhost [jerry@localhost ~]$
SSH using asymmetric encryption as opposed to symmetric encryption.
Using the Passphrase
When running the
ssh-keygen command to generate your public+private keys you get prompted to enter a “passphrase”. This passphrase is used to create an encrypted private key.
After that you will need to enter this passphrase everytime you want to ssh into a remote server. This at first sounds like it defeats the whole point of public+private keys, and especially makes running shell scripts impossible. But actually you can cache this passphrase into your terminal session, by running the following command:
$ ssh-agent bash
This basically starts a new bash session but this time with the ssh-agent utility enabled.
In our new bash session, we now use the ssh-add command to add our passphrase to the ssh-agent’s cache memory:
[root@puppetmaster ~]$ ssh-add Enter passphrase for /root/.ssh/id_rsa: Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa) [root@puppetmaster ~]$ [root@puppetmaster ~]$ ssh root@puppetagent01 Last login: Mon Oct 12 21:57:12 2015 from puppetmaster [root@puppetagent01 ~]$
This time we didn’t get a password prompt. If we now exit out of our bash terminal, then ssh to the remote machine again, then we’ll get a password prompt:
[root@puppetmaster ~]# exit exit [root@puppetmaster ~]# ssh root@puppetagent01 Enter passphrase for key '/root/.ssh/id_rsa': Last login: Mon Oct 12 22:09:24 2015 from puppetmaster [root@puppetagent01 ~]#
Public key / private key authentication
http://stackoverflow.com/questions/7114990/pseudo-terminal-will-not-be-allocated-because-stdin-is-not-a-terminal #use the -t option