SSH key authentication
From Linux 101, The beginner's guide to all things Linux.
SSH keys are a very powerful tool of the secure shell package. Let's take an example:
You SSH into your remote machine, and you type in your password. You run a few commands, and then you are done, so you disconnect. In a few minutes (if even that long) you realize you forgot to run an additional command or two. You will now need to reconnect and retype your password. Now this is probably not a tedious process, but do you really want to keep retyping your password? You are an intelligent person and you can do much better. Let's look into some of the technical aspects of SSH keys, so you know what is happening under the hood.
Contents |
[edit] The keys
There are two keys that are created. The private key should only be removed from the system as required. It is a file that is encrypted by a passphase of your choice. SSH will prompt you for the passphrase and when you enter it, it will unlock the key.
|
Note: Passphrases are usually longer than a normal password, since they are typed less often than passwords but need to be more resistant to brute force attacks than passwords. |
The second key is your public key and this one can be given out as much as you want. The information stored in your public key cannot be reverted into your private key; however, it is possible to regenerate your public key based on your private one. Thus, if you were ever to lose your public key you can make it again, but if you lose your private key then you will have to just create a new one again.
[edit] The login process
The way this process works is that when you attempt to login to another machine, SSH will look to see if you have placed your public key onto the machine you are attempting to connect to. If you have, it will then prompt you for your passphase to unlock your private key.
Once you have unlocked your private key, it is a sign that it is a valid login. Your public key was on the machine (and it must have gotten there because you have access to the machine.) Then, you unlocked your private key.
At this point you're then connected to the remote system via SSH.
[edit] The agent
The SSH agent is really the tool that helps you type your passphrase less often. If you use SSH keys it is very beneficial to use the SSH agent, otherwise you will not see much improvement over the login process.
Each time when you attempt to make the connection to the remote host, SSH will prompt you for that passphrase. It will not remember that you typed it in a moment ago. This is where the SSH agent comes in.
When you start your X environment, you should also start the ssh-agent process. Then when you are in the graphical environment, you can start a shell and run ssh-add. Enter your passphrase for your private key.
Now when you go to connect to a remote host, SSH will check with your agent. If you've unlocked the key, then you will login without having to type in the passphrase (for as many logins as you want).
You may be concerned with security. What if you get up and leave your keyboard? Do you still want your SSH agent to remember you are authenticated? ssh-add has command arguments for this. You can make the agent forget you entered the passphrase. You can even lock the agent with a new password of your choice so you can later unlock it.
[edit] Further details
This article just explains some of the background to using SSH keys. If you want to see some of the commands in action, look at the ssh article.
