HOWTO Create ssh keys

From LQWiki
Jump to: navigation, search


Directions for creating the ssh key and making the two servers talk to each other without password. Unless otherwise specified all of these tasks are performed on server A. Such that server A is the local system and server B is the remote.

1st Change directory into .ssh and check what files are there.

[user@user ~]$ cd .ssh
[user@user .ssh]$ ls -l
total 4
-rw-r--r-- 1 user group 2980 Jun 13 12:02 known_hosts

*note* If the .ssh directory is not to be found in your /home/user directory you have two choices.

1: create it...
[user@user ~]$ mkdir -m 700 .ssh
2: ssh into some other system. This to me is the better option. Not only will
it create the ~/.ssh directory, but it will populate it with known_hosts file
with the correct permissions.

2nd Create the ssh key. We will be creating rsa versions of the keys, not dsa.

Example 1:

[user@user .ssh]$ ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/
The key fingerprint is:
SHA256:xTVFUbCg6pSREAlzFcW/R5wFWagnHoX8pRK9bjxtsFA user@localdomain
The key's randomart image is:
+---[RSA 4096]----+
|    o.++o+..+=*Oo|
|     o.. o.o+oE.o|
|        o +. B.* |
|         =  B X  |
|        S  . @ + |
|       o    o B o|
|        .    o o |
|                 |
|                 |
*note* The -t flag is for the TYPE of key to generate, in this case rsa, you can also use the
newer, more secure ed25519 keys. However, don't use the older DSA keys, they are not secure.

The -b 4096 is the byte size of the encrypted RSA key. 4096 is military grade encryption
and basically impossible to crack without spending far more money then it would be worth.
Ed25519 keys have a fixed length and the -b option will be ignored.

As this key is to be used in scripts there is no passphrase. This is less secure, but
allows for unattended access to the remote system. Ideal for scripting.

Example 2:

[user@user .ssh]$ ssh-keygen -t ed25519 -f /home/user/.ssh/foo-server_ed25519 -C 'user from foobar'
Generating public/private ed25519 key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/foo-server_ed25519.
Your public key has been saved in /home/user/.ssh/
The key fingerprint is:
SHA256:m/CIlip11u/8c0cfyPp5rNXc8zTlBr7TNyRir1j0uI4 user from foobar
The key's randomart image is:
+--[ED25519 256]--+
|                 |
|                 |
|                 |
|                 |
|     .. S  .. o .|
|  . oo.+ o.oo=.*+|
| . o+ ..+ .o+o=*O|
|.  o   .. =.o.=BB|
| ..    .oEo*o=+.+|
*note* The -f and -C flags can help keep order when there are multiple keys on the client side.
The -f flag works to name the key file, say after the server it is associated with.
The -C flag works to embedd a comment in the public key, say something about the user and connection

3rd check that there are two new files with the following permissions

[user@user .ssh]$ ls -l
total 12
-rw------- 1 user group 3243 Jun 22 15:50 id_rsa
-rw-r--r-- 1 user group  743 Jun 22 15:50
-rw-r--r-- 1 user group 2980 Jun 13 12:02 known_hosts

4th change directory back to the users $HOME

[user@user .ssh]$ cd

5th copy the key to the remote server

[user@user ~]$ ssh-copy-id -i ~/.ssh/ user@<IP_SERVER_B>
user@<IP_SERVER_B>'s password:
Now try logging into the machine, with "ssh 'user@<IP_SERVER_B>'", and check in:
to make sure we haven't added extra keys that you weren't expecting.
***note*** If you are connecting via any port other then 22, the command will be as follows:
ssh-copy-id "user@host -p 8129"
DO NOT FORGET THE " "... Replace 8129 with your specific port for ssh.

Or you can create a ~/.ssh/config file see my other HOWTO: HOWTO Create SSH Config file

5a: If ssh-copy-id failes you can manually perform the same basic task as follows:

[user@user ~]$ scp ~/.ssh/ user@<IP_SERVER_B>:/home/user/.ssh/
user@<IP_SERVER_B>'s password:
[user@user ~]$ ssh user@<IP_SERVER_B>
[user@user ~]$ cd .ssh
[user@user ~]$ cat >> authorized_keys
[user@user ~]$ ls -laF
total 88
drwx------   11 user  group         374 Mar 14 19:32 ./
drwxrwxr-x+ 101 user  group	   3434 Mar 22 17:11 ../
-rw-------    1 user  group        4424 Jan  5 21:17 authorized_keys
-rw-r--r--    1 user  group         175 Jan  5 21:28 config
-r--------    1 user  group        3239 Jul 21  2012 id_rsa
-rw-r--r--    1 user  group         752 Jul 21  2012
-rw-r--r--    1 user  group        5657 Mar 14 19:32 known_hosts
*note* If the target system already has then you will want to modify the scp command as follows:
[user@user ~]$ scp ~/.ssh/ user@<IP_SERVER_B>:/home/user/.ssh/
user@<IP_SERVER_B>'s password:
*note* just replace foo with something that is a good identifier. User name, server IP, etc...
*note* You might need to change the permissions of the above files. The key files that
must be correct are: authorized_keys,, and known_hosts. If those
have the wrong permissions your ssh key will fail and you will be prompted for
a password for each ssh connection attempt.

*note* Also be mindful of the permissions for the ~/.ssh directory. It must be:
drwx------.  2 user  group      4096 Mar 14 15:23 .ssh/
If the permissions are not restrictive enough ssh will not trust the keys and will
ignore them.

6th, follow directions on the screen.

[user@user ~]$ ssh user@<IP_SERVER_B>
Last login: Fri Jun 22 14:12:08 2012 from
[user@user ~]$ exit
Connection to <IP_SERVER_B> closed.

7th, Troubleshooting

In addition to checking the above permissions also verify that your /home/user directory has permissions 700

[user@user ~]$ chmod 700 /home/user/

I just ran into this issue on one of my laptops. This was the solution. I checked my permission on ~/.ssh and all of those files I also checked the permission of /etc/ssh/sshd_conf as well as went so far as to reinstall openssh-server and client.


It might be a good idea to perform this both ways all depending on your needs.