Difference between revisions of "Accessing Linux Clients with SSH Public Key Authentication"
m |
m |
||
| Line 25: | Line 25: | ||
Copy the contents of your public key file and put them into the <code>~/.ssh/authorized_keys</code> file, '''all on one line'''. Each different key you authorize must be on one and only one line. | Copy the contents of your public key file and put them into the <code>~/.ssh/authorized_keys</code> file, '''all on one line'''. Each different key you authorize must be on one and only one line. | ||
| − | For example, a file that authorizes two keys might look like this: | + | For example, a file that authorizes two keys might look like this (though the RSA key has been trimmed for readability): |
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL72YKEfA+1f8Uhh4Mg4CcJsRrBatvxrRHuD19v7m1z0 example@laptop | ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL72YKEfA+1f8Uhh4Mg4CcJsRrBatvxrRHuD19v7m1z0 example@laptop | ||
| − | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKMHeeIdCVYzb9z8HnTp+ | + | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKMHeeIdCVYzb9z8HnTp+...7iEuEI08OPJboDsjFgtZ3O5Z+V+o1BepSJ3xHbdt example@desktop |
Save the file. | Save the file. | ||
Revision as of 15:45, 1 March 2018
All of our Linux clients can be accessed via SSH. (See our SSH key fingerprint page to verify their host keys.) You can use your CS password to access the systems, but we also support public key authentication. (See SSH.com's public key authentication page for an overview of what that does.)
Here is how to enable SSH public key authentication for your account:
Generate Public and Private Keys
This will be done on your personal computer (desktop, laptop, etc.). The particulars will vary depending on what software you're using to connect to our systems; you should check your software's documentation.
That said, if you're running OpenSSH (as practically any Linux system is), you can probably generate a key pair with the following command:
ssh-keygen -t ed25519 -o -a 100
When prompted, enter a good passphrase.
In any case, the key generation should leave you with two files, a public key and a private key. Keep the private key safe and don't share it with anyone. You'll use the public key in the next step.
Authorize Your Key
Log into one of our Linux clients. Create a ~/.ssh directory, if you don't already have one, then edit your ~/.ssh/authorized_keys file, creating it if necessary. The following commands will do that:
mkdir ~/.ssh chmod 0700 ~/.ssh nano ~/.ssh/authorized_keys
Copy the contents of your public key file and put them into the ~/.ssh/authorized_keys file, all on one line. Each different key you authorize must be on one and only one line.
For example, a file that authorizes two keys might look like this (though the RSA key has been trimmed for readability):
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL72YKEfA+1f8Uhh4Mg4CcJsRrBatvxrRHuD19v7m1z0 example@laptop ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKMHeeIdCVYzb9z8HnTp+...7iEuEI08OPJboDsjFgtZ3O5Z+V+o1BepSJ3xHbdt example@desktop
Save the file.
Without logging out, try to SSH to one of our clients using your key. If it works, you're good. Otherwise you'll need to figure out what the problem is. As long as you know your password, though, you'll be able to get in even if the key doesn't work.
Use Your Key
From this point, you should be able to use your private key to log in to our systems without being prompted for your password. How you tell your client to use the key will vary depending on the client.
If you're using OpenSSH and you didn't specify an alternate location for the key files when you generated them, everything should just work. If not, though, you can use SSH's -i parameter to explicitly tell it what key to use, e.g.:
ssh -i ~/.ssh/my-cs-key example@ugradx.cs.jhu.edu
ssh-copy-id
OpenSSH comes with a utility to simplify the above process; it's called ssh-copy-id. After generating your key, you can run ssh-copy-id from your desktop/laptop in the same way that you'd use ssh to log in to a system, e.g.:
ssh-copy-id example@ugradz.cs.jhu.edu
After that finishes, you should log into the system yourself and verify that your ~/.ssh/authorized_keys file only contains the keys you expect. Once that's done, you should be good to go.