SSH Keys and Other Tips

How to setup and use SSH keys for easily connecting to other machines
October 2012

Motivation

If you frequently connect to machines via ssh, you should be using secure keys to do so, not password-based authentication. This greatly improves security, and as I show below, also makes things more convenient (unlike many other security features). These instructions assume linux or mac.

Setting up Keys

  1. On the machine you want to login from (i.e., the 'client'), create ssh keys on linux using:
    ssh-keygen
    
  2. This will ask you where to store the keys (default location is fine), and the passphrase. Do not leave the passphrase empty! Use a strong password here.
  3. Transfer the key to the server, like this:
    ssh-copy-id servername.domain.com
    
  4. It will ask you for your password to do the transfer.
  5. From now on, you can do:
    ssh servername.domain.com
    
    and it should ask you only for your key passphrase.

What's Better About This?

Now at first glance, this appears to have bought you nothing -- you still have to type your passphrase. However, things are actually much improved.

  1. The passwords are no longer being sent online. Security-wise, this is much better.
  2. You can use the same passphrase for all servers, even if they have different passwords.
  3. You can cache the passphrase on your client, so that, e.g., you only have to type it in once you login, and then never again until you reboot your machine. On linux, this can be setup in your GUI login, so that once you sign into kde or gnome, it asks you for your passphrase once, and then it's logged in. I don't remember how to get this to work (I think I used the program keychain, but not 100% sure), and it was a bit flaky, so the alternative is to have the following in your ~/.bashrc:
    # Great function to reuse existing ssh-agent settings (taken from http://tychoish.com/rhizome/9-awesome-ssh-tricks/ )
    ssh-reagent () {
        for agent in /tmp/ssh-*/agent.*; do
            export SSH_AUTH_SOCK=$agent
            if ssh-add -l 2>&1 > /dev/null; then
                echo Found working SSH Agent:
                ssh-add -l
                return
            fi
        done
        echo Cannot find ssh agent - maybe you should reconnect and forward it?
    }
    
    ssh-reagent
    
  4. Now it will ask you to enter your passphrase the first time you try to ssh, but any subsequent bash windows you open will have the ssh-keys stored, so you will not need to enter them again unless you close your original bash window.
Note: if you find inaccuracies here or have other suggestions, please email me.