Helpful Knowledge 🎓
A general repository for stuff I always keep forgetting how to do
Creating and Using SSH Keys for Passwordless Experience
Some well-written and thorough SSH information can be found at ssh.com
Concept
Using SSH Keys enables secure logins easily.
Generally concerned with two files:
id_rsa.pub
(public and shared on remote system)id_rsa
(private on local system)
The files—usually referred to as keys—can be likened to a physical padlock 🔒 (.pub) and key 🔑
These files are usually kept inside a hidden directory in your home directory (i.e. ~/.ssh
)
$ ls ~/.ssh/
id_rsa id_rsa.pub
Like a 🔑, the id_rsa
file is not to be public or shared.
Conversely, the 🔒can be on multiple systems.
There's nothing particualarily special with the name
id_rsa
. You can rename when generating keys (e.g.id_rsa_home
,my_coolsite.pub
)
Generating Keys
To create a matching pair of keys 🔐(i.e. padlock & key), on Linux/MacOS use the ssh-keygen
utility:
$ ssh-keygen -t rsa -C "note to help id the pub file entry"
Generating public/private rsa key pair.
Enter file in which to save the key (/Users/skube/.ssh/id_rsa): [enter some descriptive note] name_of_key_file
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/skube/.ssh/name_of_key_file
Your public key has been saved in /Users/skube/.ssh/name_of_key_file.pub
Note: It is recommended to use a passphrase (e.g. orange you glad I didn't say banana) Note: Passphrase can be temporarily saved/bypassed using a utility (
ssh-agent
)
Info:
- The contents of [] are optional, a note will automatically be appended to the *.pub file as user@machine
-t rsa
is default tellsssh-keygen
to create an RSA type encrpytion-C
overrides the default comment on the*.pub
file (why?)
Authorized Keys
Now you have two files id_rsa.pub
🔒 and id_rsa
🔑. The 🔒 must be placed on the server and appended to the authorized_keys
file.
Method 1
One way to easily copy the *.pub
file to a remote server is to use the ssh-copy-id
util:
# If util available, supply the _key_ if not using the default `id_rsa`
$ ssh-copy-id [-i name_of_key_file] user@remotehost
-i
if you want to override the default identity file ofid_rsa
Method 2
Another way is with a long, complicated but impressive looking shell command:
# Fancy unix one-liner
$ cat ~/.ssh/id_rsa.pub | ssh user@remoteserver 'mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys'
(Info: the
-p
flag onmkdir
creates intermediate directories as required, not erroring if the directory already exists)
Method 3
Otherwise, you can simply manually copy the 🔒contents and paste through an online form
# Manually copy to clipboard
$ pbcopy < ~/.ssh/id_rsa.pub
You can safely now delete the *.pub
file as it has been appended to the authorize_keys
file.
Using SSH
Now you can SSH into your remote server
# Method 1:
ssh user@remoteserver -i ~/.ssh/id_rsa_<note>
Info: the
-i
is to specifcy a path to the proper key when not using the the defaultid_rsa
# Method 2: If not using multiplie keys (i.e. only one `id_rsa` key)
ssh user@remoteserver
Managing Multiple Keys
It's not uncommon to use multiple keys (not to mention it's easier to use a friendly-name). To facilitate this, you can use a ~/.ssh/config
file.
# contents of ~/.ssh/config (replace <...>)
Host <friendly-name>
User <user>
HostName <remoteserver.com>
IdentityFile ~/.ssh/id_rsa_<note>
# macOS Sierra no longer persists keys
Host *
AddKeysToAgent yes
That's it! You should* be able to SSH simply by into a remote server by: ssh friendly-name
ssh-agent
Bypassing Passphrase with If you supplied a passphrase, you may find it super annoying entering it each time.
The ssh-agent
manages your SSH keys and remembers your passphrases.
To use ssh-agent
and ssh-add
, follow the steps below:
1. At the Unix prompt, enter:
eval `ssh-agent`
Note: make sure you use the backquote (`) rather than the single quote (
'
).
2. Add the key to the agent:
ssh-add -K ~/.ssh/id_rsa_<custom>
Info:
-K
adds to keychain for persistance (tho may not work after macOS Sierra)
3. Kill the current agent:
ssh-agent -k
*Troubleshooting
Problem 1
Your local and remote systems may have different ssh
versions. In that case, you need to set permissions on the .ssh
directory and authorized_keys
file of your remote system.
# method 1: one line
ssh user@remotehost 'chmod 700 ~/.ssh; chmod 640 ~/.ssh/authorized_keys'
# method 2: multi-line
ssh user@remotehost
chmod 700 ~/.ssh
chmod 640 ~/.ssh/authorized_keys
(note: 421 corresponds to rwx, so
chmod 640
meanschmod u=rw,g=r,o-a
)
Problem 2:
If you see a message "Agent admitted failure to sign using the key" then add your RSA or DSA identities to the authentication agent ssh-agent then execute the following command:
ssh-add
ssh
identity file
Using rsync with Setting up the rsync
command (trailing slashes seem to be important)
rsync --progress -avz -e "ssh -i ~/.ssh/id_rsa_<note>" /path/to/local/dir/ <user>@<hostname>:/path/to/remote/dir/
Create a shell script for the synchronization
vi ~/bin/some-super-cool-name.sh
Add to the shell script file's contents:
#!/bin/bash <copy-the above rsync line here>
Add proper permissions
chmod 700 ~/bin/some-super-cool-name.sh