Do you have a computer to compute on, but it's all the way over there? Use SSH, stupid! With keys!
0. Have Access to a Remote Computer with an SSH Server
Before you can set up key-based authentication you should have:
- A remote computer.
- A user account with a password on that remote computer.
- A SSH server installed on that remote computer which is:
- Configured to allow your remote user account to log in and
- Running
These all sound obvious, but I almost never have all 5 at once, so there you go.
For our examples we'll assume that your local user is groundcontrol
on the local host named earth
, trying to log in as the remote user majortom
to the remote host tincan
.
1. Generate Your Key Pair
First you need to make a key pair. Run ssh-keygen
to create a public and private key.
groundcontrol@earth:~$ ssh-keygen
Enter file in which to save the key (/home/groundcontrol/.ssh/id_rsa): /home/groundcontrol/.ssh/tincan
Enter passphrase (empty for no passphrase): [redacted]
Enter same passphrase again: [redacted]
Your identification has been saved in /home/groundcontrol/.ssh/tincan.
Your public key has been saved in /home/groundcontrol/.ssh/tincan.pub.
The key fingerprint is:
SHA256:6qhMpF/b62Zt63i/SVH6fZqqzB7uQc2kyryIwvR+FsQ groundcontrol@earth
Here we've elected to make a key pair with the name of our remote machine, tincan
. It lives in the .ssh
subdirectory of the user groundcontrol
's home directory. The private key stays on your local machine, and the public key gets sent to your remote machine.
ssh-keygen
will request an optional passphrase, which it will use to encrypt your private key when it's not being used. Use one.
2. Upload the Public Key to your Remote Machine
Now you must tell your remote SSH server that majortom
can be authenticated using your private key, /home/groundcontrol/.ssh/tincan
. To do so, you must append the contents of your public key, /home/groundcontrol/.ssh/tincan.pub
, to the authorized_keys
file for your remote user, /home/majortom/.ssh/authorized_keys
. We'll do this using ssh-copy-id
, but you can accomplish the same task with scp
or some other file transfer utility if it's not available.
groundcontrol@earth:~$ ssh-copy-id -i ~/.ssh/tincan.pub majortom@192.168.1.2
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/groundcontrol/.ssh/tincan.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
majortom@192.168.1.2's password:
Number of key(s) added: 1
Now try logging into the machine, with: "ssh 'majortom@129.168.1.2'"
and check to make sure that only the key(s) you wanted were added.
3. Configure an SSH Host
Would you rather type ssh tincan
or ssh majortom@192.168.1.2
to log in to your remote machine? To accomplish the former, append the following to the file /home/groundcontrol/.ssh/config
:
Host tincan
user majortom
HostName 192.168.1.2
IdentityFile /home/groundcontrol/.ssh/tincan
The Host value, tincan
, is the alias for your remote machine. The user value is the name of the user on the remote machine you'll log in as, majortom
. The HostName can be either a DNS name or an IP address for the remote machine. Here it's a local IP, 192.168.1.2
. The IdentityFile is the path to the private key you'll use to authenticate to the server, /home/groundcontrol/.ssh/tincan
.
4. Verify
Now go log in to your remote box.
groundcontrol@earth:~$ ssh tincan
Enter passphrase for key '/home/groundcontrol/.ssh/tincan': [redacted]
majortom@tincan:~$ cat ~/.ssh/authorized_keys
** DONE. **