Here is a quick guide to get you started using SSH keys. In this guide I will assume that you use OpenSSH.
The first step is to generate a private key and a public key. Generate a pair of DSA keys using OpenSSH's ssh-keygen as follows:
$ ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/home/user/.ssh/id_dsa): [hit enter] Enter passphrase (empty for no passphrase): [enter a good passphrase] Enter same passphrase again: [enter the passphrase again] Your identification has been saved in /home/user/.ssh/id_dsa. Your public key has been saved in /home/user/.ssh/id_dsa.pub. The key fingerprint is: cc:cb:6e:b5:95:60:ed:13:8a:04:e8:b6:b2:37:94:0e user@machine
When ssh-keygen asks for a default location for the key, simply accept the default of /home/user/.ssh/id_dsa. ssh-keygen will store the private key at the above path, and the public key will be stored right next to it, in a file called id_dsa.pub.
When prompted for a passphrase enter a good passphrase. A good passphrase consists of 10 or more hard-to-predict characters, and shouldn't be simple sentences, quotes or otherwise easily guessable. Moreover a good passphrase should contain a mix of upper and lowercase letters, numbers and non-alphanumeric characters.
The next step is to configure remote systems running sshd to use our public DSA key for authentication. Typically, this is done by copying the public key to the remote system.
If you already have a ~/.ssh directory on the remote machine, simply copy your public key to the remote machine as follows:
$ chmod 600 ~/.ssh/id_dsa.pub $ scp ~/.ssh/id_dsa.pub user@remotemachine:.ssh/authorized_keys
Do the following instead if you haven't already got a ~/.ssh directory on the remote machine:
$ chmod 600 ~/.ssh/id_dsa.pub $ scp ~/.ssh/id_dsa.pub user@remotemachine:authorized_keys $ ssh remotemachine $ mkdir .ssh $ chmod 700 .ssh $ mv authorized_keys .ssh/ $ exit
Now, with DSA authentication configured, we should be prompted to enter our DSA private key passphrase (rather than our password) when we try to connect to remotemachine using ssh.
$ ssh remotemachine Enter passphrase for key '/home/user/.ssh/id_dsa':
Entering the passphrase every time you want to do a remote copy or make a remote connection can be tiring. OpenSSH include ssh-agent, which is a long-running daemon designed for the sole purpose of caching your decrypted private keys.
There are many ways to set up ssh-agent, from using it on a per-shell basis, starting your window manager with it, etc. To use ssh-agent on a per-shell basis do the following:
$ eval `ssh-agent`
One way to get ssh-agent started with your window manager is to modify your ~/.xsession to look like this:
== ~/.xsession == ssh-agent exec [your window manager] == ~/.xsession ==
If you use startx, you must modify your ~/.xinitrc instead.
Before we really can use ssh-agent, we first need to add add our private key(s) to ssh-agent's cache using the ssh-add command. Add your private DSA key (~/.ssh/id_dsa) to ssh-agent's cache as follows:
$ ssh-add ~/.ssh/id_dsa Enter passphrase for /home/user/.ssh/id_dsa:
Now, we are able to connect to remotemachine using ssh without entering a password or passphrase.
$ ssh remotemachine $
It is that simple.
It's a good idea to either lock your machine, or remove your private key(s) from ssh-agent's cache, when you leave your machine. Removing your privates key(s) from ssh-agent's cache can be done as follows:
$ ssh-add -d