Arvind Gopu's home on the web!

Setting up SSH keys

Why do I need to setup SSH keys?

Because, it makes life easier and also more secure! Once you have your keys setup (as explained below) and run your ssh-agent, you'll not need to enter your length-restricted Unix password at all! All you'll need to do is enter your non-length-restricted (compared to Unix passwords) pass phrase once when you start your SSH agent.

Note: I've based the stuff below on the content of an IU Computer science departments's FAQ entry. You could take a look at that document, especially if you have trouble because you use KDE, etc.

Step-by-step Instructions

Following are the steps to setup SSH keys. (Once you set it up, you'll not need to do it again (unless something goes wrong). Optional (but recommended) steps are shown in gray color.

On your personal workstation

  • Check if there is an existing .ssh directory.
          ag@localhost agopu% mv ~/.ssh ~/.ssh_original
  • Create a new set of SSH keys.
          ag@localhost agopu% ssh-keygen -t dsa
    (It'll ask for a passphrase, enter your favorite (long!) passphrase.)
  • Create (or update) your authorized keys file) and make it read/writable only by you.
          ag@localhost agopu% cat ~/.ssh/id_dsa.pub > ~/.ssh/authorized_keys
          ag@localhost agopu% chmod 600 ~/.ssh/authorized_keys
  • Create (or update) your session-manual file as follows:
          ag@localhost agopu% pico ~/.gnome2/session-manual
    
          [Default]
          num_clients=1
          0,RestartStyleHint=3
          0,Priority=70
          0,RestartCommand=/usr/bin/ssh-add
  • Now that you have generated your key and also have an updated authorized_keys & session_manual file, your job at the workstation end is done.

For each {server, any other machine} you'd like to connect to:

  • From the workstation/laptop, scp your public key file id_dsa.pub server/machine-to-connect-to.
          ag@localhost agopu% scp ~/.ssh/id_dsa.pub \
                              dna.informatics.indiana.edu:my_public_key
          agopu@dna.informatics.indiana.edu's password:
  • Connect to the server. You might want to move any existing .ssh/ dir out of the way and create a new one (I'd do this, though you could work with the existing directory too -- in this case you want to append your public key into the authorized_keys file.)
          ag@localhost agopu% ssh dna.informatics.indiana.edu
          agopu@dna.informatics.indiana.edu's password:
          ag@dna agopu% mv .ssh .ssh_original
          ag@dna agopu% mkdir .ssh
          ag@localhost agopu% cat ~/my_public_key >> ~/.ssh/authorized_keys
          ag@localhost agopu% chmod 600 ~/.ssh/authorized_keys

Once you do the above two steps:

  • You will be prompted for a passphrase everytime you login to the console on your workstation/laptop. This is the same passphrase you used when you created your keys in step 1.
  • Once you logout and log back in to the console, and try connecting to DNA (the server in the above scenario) it will not ask for your password. It will let you in seamlessly!
    - This applies when you try do a scp on a file from your workstation to the server and the like.
          ag@localhost agopu% ssh dna.informatics.indiana.edu
          Last login: Thu May  6 18:01:41 2004 from . . .
          agopu@dna agopu %