Secure Shell (SSH) protocol provides a means one can use for
secure, encrypted connections between systems for logins or file transfers.
One can use a username and password to login from an SSH client to an SSH
server or one can use a
public and private key combination where a public
key for a user's account is stored on a remote SSH server while a corresponding
private key is stored on the system from which the user will initiate the
SSH or SFTP connection. On
private keys are normally stored in the
beneath the home directory for your account. If you haven't created
any keys yet, the directory may only contain a
file that contains public keys for servers you've previously logged into
$ ls .ssh known_hosts $
That directory should have file permissions that only grant access to the user.
$ ls -ld .ssh drwx------. 2 abe abe 54 Jan 23 12:54 .ssh $
You can change the permissions with
chmod 700 ~/.ssh,
Use the ssh-keygen utility to generate an RSA key pair for version 2 of the SSH protocol.
$ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/abe/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/abe/.ssh/id_rsa. Your public key has been saved in /home/abe/.ssh/id_rsa.pub. The key fingerprint is: 41:70:f4:f0:24:ac:34:13:9b:c4:db:1f:5c:ca:25:92 email@example.com The key's randomart image is: +--[ RSA 2048]----+ | .+=*.. | | .==E*. o | | .o*.+o= | | o ..= | | S. . | | . | | | | | | | +-----------------+ $
After you generate the key pair, you will see two other files in the
$ ls -l .ssh total 12 -rw-------. 1 abe abe 1766 Jan 23 12:54 id_rsa -rw-r--r--. 1 abe abe 408 Jan 23 12:54 id_rsa.pub -rw-r--r--. 1 abe abe 2370 Apr 30 2017 known_hosts $
id_rsa file, which should be accessible only by the user,
contains the private key while the
id_rsa.pub file contains
the public key, which can be placed on other servers that you wish to access
via SSH. The contents of that public key file have to be placed in the
~/.ssh/authorized_keys file on the remote SSH server under
the account you wish to log into on that server. If that file already
exists, append the key in
id_rsa.pub at the end of the file.
If you need to create that file, it should only have read and write
access by the user's account and should not be accessible by others. You can
change the permission, if needed, using
~/.ssh/authorized_keys. Alternatively, you can use the
ssh-copy-id utility to copy the new public key to
authorized_keys file on the remote server. E.g.,
ssh-copy-id username@remote_address where
username is the user account on the remote system that you wish
to log into - it doesn't necessarily have to be the same user name as
the one you are using on the local system - and remote_address
is the fully qualified domain name (FQDN) or IP address of the
remote SSH server. When you issue the command, it is normal to see the message
"The authenticity of host" can't be established if you haven't previously
connected to it. If you haven't previously connected to it and type "yes",
the public key of the remote SSH server will be added to the end of the
~/.ssh/known_hosts file. You will be prompted to provide
the password to log into the remote system, since you won't have your
new public key in that server's
authorized_keys file yet.
$ ssh-copy-id firstname.lastname@example.org The authenticity of host 'example.org (192.168.98.25)' can't be established. ECDSA key fingerprint is 9e:8f:52:0e:d6:87:da:7d:e6:21:e2:e8:f5:ca:d4:c1. Are you sure you want to continue connecting (yes/no)? yes /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompt ed now it is to install the new keys email@example.com's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh 'firstname.lastname@example.org'" and check to make sure that only the key(s) you wanted were added. $
If you then try logging into the remote SSH server via SSH, if you set a passphrase for the private key file, you will see a prompt such as "Enter password to unlock the private key", but you won't see a password prompt for the remote SSH server.
If you ever want to remove the passphrase protection from the private key
file, you can do so with
ssh-keygen -p. You will be prompted
to provide the current passphrase and a new passphrase. To have no passphrase
protection, just hit enter when prompted to enter the new passphrase.
$ ssh-keygen -p Enter file in which the key is (/home/abe/.ssh/id_rsa): Enter old passphrase: Key has comment '/home/abe/.ssh/id_rsa' Enter new passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved with the new passphrase. $
If you don't have passphrase protection, you will automatically get the shell prompt on the remote system if you are logging in via SSH.
$ ssh email@example.com Last login: Tue Jan 23 18:42:08 2018 from 220.127.116.11 $
Or a file or files will automatically be transferred without a password prompt if you are using sftp to transfer files from the remote to the local system.
$ sftp firstname.lastname@example.org:temp/lvm.txt Connected to example.org. Fetching /home/abe/temp/lvm.txt to lvm.txt /home/abe/temp/lvm.txt 100% 469 0.5KB/s 00:00 $