Wednesday, May 1, 2013

Notes on how to configure key files for SSH connection

Login onto Linux. When you first SSH to another server with the following command:
ssh someuser@remoteServer
You will get the prompt like the following:
The authenticity of host 'remoteServer (XX.XX.XX.XX)' can't be established.
RSA key fingerprint is d9:5e:8d:9d:59:12:39:e9:ff:59:57:07:92:ef:52:b2.
Are you sure you want to continue connecting (yes/no)? 
Type yes. Now you will be prompted to enter the password for the user "someuser" to login to remoteServer.
Just type the password. And now you should be successfully connected to remoteServer.

When you ssh to a remote server, your ssh client records the hostname, IP address and public key of the remote server in a flat file called "known_hosts". As such, the .ssh directory on your local server will now have the known_hosts file that contains an entry for remoteServer. The entry looks like the following:

remoteServer,XX.XX.XX.XX ssh-rsa AAAAB3NzaC1yc.....
In the above entry, the string after ssh-rsa is the public key of remoteServer. Where is this public key located on remoteServer? There can be different user accounts on remoteServer. And each account can create its own keys. But when you ssh to remoteServer, you will get the same public key. This key is actually at the location /etc/ssh/ssh_host_rsa_key.pub.

Now on your local server, execute the following command to generate the public/private keys:

ssh-kygen -t rsa
It will prompt you to enter the file in which to save the generated key and also prompt you to enter passphrase.
Just take the default and return to use the empty passphrase. This will create the private key id_rsa and the public key id_rsa.pub in the .ssh directory.

Logon to remoteServer. In the home directory for the user someuser on remoteServer, there is the .ssh folder. If this folder has a file authorized_keys, then append the content of the public key file id_rsa.pub that you generated on your local server to the end of authorized_keys. If authorized_keys file does not exist, then create it and copy the content of id_rsa.pub to this file.

Now if you do the following on your local server:

ssh someuser@remoteServer
You should be able to logon to remoteServer directly without the need to type password.