Something that plagued me when I first started working with DevOps/servers was dealing with a million different passwords for different hosts. What I quickly found was the ability to substitute password authentication with key based authentication to essentially remove the password equation and use unique ssh keys for different servers was the way to go. It took me a while to get a handle on exactly what that meant and how to implement it, but I think this guide can help shed some light on a quick and painless way to set it up for yourself.
I’ll preface this with the statement that this article is written referencing Mac OSX and Linux examples and terminology. Windows users should probably seek another avenue for this info, or consider changing OS’s. In fact, there will be another post in the near future on what OS seems to be best for web development and how to change easily.
We’ll be assuming that you already have a general key-pair generated in your .ssh folder and want to create a new unique one specifically for this server.
- Step 1: Generate the new keypair. To do this on OSX or Linux, run the following command in a terminal window:
ssh-keygen -t rsa -b 4096 -C "firstname.lastname@example.org"
It will then ask you a few more questions:
Enter file in which to save the key (/home/demo/.ssh/id_rsa):
You will want to change this to something else, so re-type the same thing, but change the id_rsa to a different name. I usually name them with id_rsa-servername or similar. Hit return when you are done for the next question:
Enter passphrase (empty for no passphrase):
It’s up to you whether you want to use a passphrase. Entering a passphrase does have its benefits: the security of a key, no matter how encrypted, still depends on the fact that it is not visible to anyone else. Should a passphrase-protected private key fall into an unauthorized users possession, they will be unable to log in to its associated accounts until they figure out the passphrase, buying the hacked user some extra time. The only downside, of course, to having a passphrase, is then having to type it in each time you use the Key Pair (unless you save it in your system keychain). You will then be asked to confirm it again before completing the generation.
If you have followed all of the process correctly, you will see something like the following:
Your identification has been saved in /Users/user/.ssh/demo_key. Your public key has been saved in /Users/user/.ssh/demo_key.pub. The key fingerprint is: f3:60:5f:b3:bd:9c:b9:dd:5f:8f:86:8a:5f:a9:fb:9d email@example.com The key's randomart image is: +--[ RSA 2048]----+ | | | | | | | | | S o | | . = . = | | o +.. . | | . o.o.B+ | | ..=+..E.* | +-----------------+
- Step 2: Add your keys to a server to allow for key-based login.
Now that we have the keys, you need to do the following; You need to copy your public key to your clipboard. In a terminal window, type the following:
You will get something back that looks like the following:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzGb3fI+thCtE3kJ3I1+jngDtzdytpT6fxLxEoW2xw6313CmRGxVsRODVyXvff6UJw1nPnyZYCvfdFnM1/0Qh8excpCHJ5SrQ0g+lrv15I9cUX1yP8koY5s+PRoliGrDITVRyvFCS5Bel9MQhrJn4+XF98NeAsoDBI+MZ4LPdwBWljO64tEkGMPDIUsRYhZNcqIvpkdFcPMO5xB3GzJRpVqddlaxs6vbmOusKwJJJHfPZvmoWF49qs0A+Futh9fPQstTU2M/jSMR9aE5SBwUvcKedUcrf+sL0EwqHavq0+UZncTd9wd5+zDiHyLTt6ysbQjDdNcVxBDAxCKLkz5aqT firstname.lastname@example.org
Alternatively, on OSX you can just change your cat command above to auto-copy to your key to your clipboard:
cat /Users/demo/.ssh/demo_key.pub | pbcopy
Once you have the key in your clipboard, do a standard ssh into whatever other computer/server that you want to use the key login for. Once you are logged in, cd into the
.sshfolder and open (or create, sometimes it doesn’t exist) a file named
authorized_keys. Move to the end of the file and paste in the key from your clipboard. Make sure that EACH key is on a separate line, with NO blank lines in between.
You can actually add multiple keys from multiple servers or users to one server.
- Step 3: Create a local SSH config file to have a local shortcut to your server using your new keys.On your local machine that has the keys you generated in step one, open a terminal and go to your users
cd ~/.sshand then either open or create a file called config:
Type the following lines while changing the needed parameters to match your login credentials:
Host myServer HostName 192.168.1.111 User myUser IdentityFile /Users/demo/.ssh/id_rsa-demo
- HostName – The hostname of the server you want this alias to refer to. Can be an FQN or IP address.
- User – The username of the account that the key was assigned to on the remote server.
- IdentityFile – Local path to the private key you made for this server in step 1. MUST match the public key you added to the server in step 2.
And we are done! You can test this by running the following command from a local terminal window:
- myserver – is the value of the Host field in step 3.
If you get stuck, please leave a comment below and I’ll be happy to help.