In last post we saw how to use Expect Script for login to remote server using SSH. The problem with Expect script is that your password is written in a normal text file and can be compromised. Similar problem arises with password because if someone knows your password, he can easily login to your remote server.
SSH provides a more secure way to login using SSH Public Key authentication that doesn’t require password. This method has two levels of security because it also requires a passphrase, so hacker will need both of these to login to remote server. In this post, we will learn how easily we can setup public key authentication between your local machine and remote server.
Generate SSH Key Pair
First of all we need to generate the public and private keys that will be used for SSH authentication purpose. We can generate these using
ssh-keygen. The private and public key needs to be generated at the local machine.
pankaj@Pankajs-MacBook-Pro:~$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/Users/pankaj/.ssh/id_rsa): <ENTER> Enter passphrase (empty for no passphrase): <passphrase> Enter same passphrase again: <passphrase> Your identification has been saved in /Users/pankaj/.ssh/id_rsa. Your public key has been saved in /Users/pankaj/.ssh/id_rsa.pub. The key fingerprint is: e7:ad:6c:d8:06:rr:8f:ef:5s:fe:e2:2f:05:9c:5f:b0 pankaj@Pankajs-MacBook-Pro.local The key's randomart image is: +--[ RSA 2048]----+ | | | | | . | | . + | | D E .| | .o . o.| | =. . +| | ..=. ..* | | oo.o=*o*| +-----------------+
For better security purpose, you should never leave passphrase empty. Once the SSH key pair is generated we are ready to move to next step.
Setting up Remote Server with Public Key
Once the public key is generated (/Users/pankaj/.ssh/id_rsa.pub), the next task is to copy it over to the remote server. You can use
ssh-copy-id for copying the public key to the remote server but it’s not available in OpenSSH. So you will have to either SFTP the public key or you can just copy paste it to the authorized_keys at the remote server. Also we need to change the permissions on the ssh directory and authorized_keys file.
pankaj@and [~]# mkdir .ssh pankaj@and [~]# cd .ssh/ pankaj@and [~/.ssh]# vi authorized_keys <paste the contents from /Users/pankaj/.ssh/id_rsa.pub> pankaj@and [~/.ssh]# cd pankaj@and [~]# chmod 700 .ssh pankaj@and [~]# chmod 600 .ssh/authorized_keys
After you are done with above steps, you can login to the remote server without using password.
pankaj@Pankajs-MacBook-Pro:~$ ssh email@example.com Last login: Mon Jun 10 22:05:25 2013 from c-67-161-57-160.hsd1.ca.comcast.net pankaj333@and [~]#
- If you are on Mac OS, when you will try to login first time, Keychain window will popup asking for passphrase. You can use remember password option so that it won’t ask for passphrase again.
- If you are on Unix or Linux system, you will be asked to enter passphrase for login but you can avoid that using
pankaj@Pankajs-MacBook-Pro:~$ ssh-agent $SHELL pankaj@Pankajs-MacBook-Pro:~$ ssh-add Enter passphrase for /Users/pankaj/.ssh/id_rsa: Identity added: /Users/pankaj/.ssh/id_rsa (/Users/pankaj/.ssh/id_rsa) pankaj@Pankajs-MacBook-Pro:~$
- Make sure to delete the public key file (/Users/pankaj/.ssh/id_rsa.pub) after you have added it to the remote host.