HOWTO Create ssh keys
DIRECTIONS FOR CREATING SSH KEY
Directions for creating the ssh key and making the two servers talk to each other without password. Unless otherwise specified all of these tasks are performed on server A. Such that server A is the local system and server B is the remote.
1st Change directory into .ssh and check what files are there.
[user@user ~]$ cd .ssh [user@user .ssh]$ ls -l total 4 -rw-r--r-- 1 user group 2980 Jun 13 12:02 known_hosts
*note* If the .ssh directory is not to be found in your /home/user directory you have two choices.
- 1: create it...
- [user@user ~]$ mkdir -m 700 .ssh
- 2: ssh into some other system. This to me is the better option. Not only will
- it create the ~/.ssh directory, but it will populate it with known_hosts file
- with the correct permissions.
- 2: ssh into some other system. This to me is the better option. Not only will
2nd Create the ssh key. We will be creating rsa versions of the keys, not dsa.
Example 1:
[user@user .ssh]$ ssh-keygen -t rsa -b 4096 Generating public/private rsa key pair. Enter file in which to save the key (/home/user/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/id_rsa. Your public key has been saved in /home/user/.ssh/id_rsa.pub. The key fingerprint is: SHA256:xTVFUbCg6pSREAlzFcW/R5wFWagnHoX8pRK9bjxtsFA user@localdomain The key's randomart image is: +---[RSA 4096]----+ | o.++o+..+=*Oo| | o.. o.o+oE.o| | o +. B.* | | = B X | | S . @ + | | o o B o| | . o o | | | | | +----[SHA256]-----+
- *note* The -t flag is for the TYPE of key to generate, in this case rsa, you can also use the
- newer, more secure ed25519 keys. However, don't use the older DSA keys, they are not secure.
- The -b 4096 is the byte size of the encrypted RSA key. 4096 is military grade encryption
- and basically impossible to crack without spending far more money then it would be worth.
- Ed25519 keys have a fixed length and the -b option will be ignored.
- As this key is to be used in scripts there is no passphrase. This is less secure, but
- allows for unattended access to the remote system. Ideal for scripting.
Example 2:
[user@user .ssh]$ ssh-keygen -t ed25519 -f /home/user/.ssh/foo-server_ed25519 -C 'user from foobar' Generating public/private ed25519 key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/user/.ssh/foo-server_ed25519. Your public key has been saved in /home/user/.ssh/foo-server_ed25519.pub. The key fingerprint is: SHA256:m/CIlip11u/8c0cfyPp5rNXc8zTlBr7TNyRir1j0uI4 user from foobar The key's randomart image is: +--[ED25519 256]--+ | | | | | | | | | .. S .. o .| | . oo.+ o.oo=.*+| | . o+ ..+ .o+o=*O| |. o .. =.o.=BB| | .. .oEo*o=+.+| +----[SHA256]-----+
- *note* The -f and -C flags can help keep order when there are multiple keys on the client side.
- The -f flag works to name the key file, say after the server it is associated with.
- The -C flag works to embedd a comment in the public key, say something about the user and connection
3rd check that there are two new files with the following permissions
[user@user .ssh]$ ls -l total 12 -rw------- 1 user group 3243 Jun 22 15:50 id_rsa -rw-r--r-- 1 user group 743 Jun 22 15:50 id_rsa.pub -rw-r--r-- 1 user group 2980 Jun 13 12:02 known_hosts
4th change directory back to the users $HOME
[user@user .ssh]$ cd
5th copy the key to the remote server
[user@user ~]$ ssh-copy-id -i ~/.ssh/id_rsa.pub user@<IP_SERVER_B> 25 user@<IP_SERVER_B>'s password: Now try logging into the machine, with "ssh 'user@<IP_SERVER_B>'", and check in: . .ssh/authorized_keys . to make sure we haven't added extra keys that you weren't expecting.
- ***note*** If you are connecting via any port other then 22, the command will be as follows:
- ssh-copy-id "user@host -p 8129"
- DO NOT FORGET THE " "... Replace 8129 with your specific port for ssh.
- ***note*** If you are connecting via any port other then 22, the command will be as follows:
- Or you can create a ~/.ssh/config file see my other HOWTO: HOWTO Create SSH Config file
5a: If ssh-copy-id failes you can manually perform the same basic task as follows:
[user@user ~]$ scp ~/.ssh/id_rsa.pub user@<IP_SERVER_B>:/home/user/.ssh/ user@<IP_SERVER_B>'s password: [user@user ~]$ ssh user@<IP_SERVER_B> [user@user ~]$ cd .ssh [user@user ~]$ cat id_rsa.pub >> authorized_keys [user@user ~]$ ls -laF total 88 drwx------ 11 user group 374 Mar 14 19:32 ./ drwxrwxr-x+ 101 user group 3434 Mar 22 17:11 ../ -rw------- 1 user group 4424 Jan 5 21:17 authorized_keys -rw-r--r-- 1 user group 175 Jan 5 21:28 config -r-------- 1 user group 3239 Jul 21 2012 id_rsa -rw-r--r-- 1 user group 752 Jul 21 2012 id_rsa.pub -rw-r--r-- 1 user group 5657 Mar 14 19:32 known_hosts
- *note* If the target system already has id_rsa.pub then you will want to modify the scp command as follows:
[user@user ~]$ scp ~/.ssh/id_rsa.pub user@<IP_SERVER_B>:/home/user/.ssh/id_rsa.pub.foo user@<IP_SERVER_B>'s password:
- *note* just replace foo with something that is a good identifier. User name, server IP, etc...
- *note* You might need to change the permissions of the above files. The key files that
- must be correct are: authorized_keys, id_rsa.pub, and known_hosts. If those
- have the wrong permissions your ssh key will fail and you will be prompted for
- a password for each ssh connection attempt.
- *note* You might need to change the permissions of the above files. The key files that
- *note* Also be mindful of the permissions for the ~/.ssh directory. It must be:
drwx------. 2 user group 4096 Mar 14 15:23 .ssh/
- If the permissions are not restrictive enough ssh will not trust the keys and will
- ignore them.
6th, follow directions on the screen.
[user@user ~]$ ssh user@<IP_SERVER_B> Last login: Fri Jun 22 14:12:08 2012 from 10.10.4.77 [user@user ~]$ exit logout Connection to <IP_SERVER_B> closed.
7th, Troubleshooting
In addition to checking the above permissions also verify that your /home/user directory has permissions 700
[user@user ~]$ chmod 700 /home/user/
I just ran into this issue on one of my laptops. This was the solution. I checked my permission on ~/.ssh and all of those files I also checked the permission of /etc/ssh/sshd_conf as well as went so far as to reinstall openssh-server and client.
END OF DIRECTIONS FOR CREATING SSH KEY
It might be a good idea to perform this both ways all depending on your needs.