Differences

This shows you the differences between two versions of the page.

--- sshkey [2011/04/05 16:04] – cangiani
+++ sshkey [2022/08/05 13:20] (current) – admin
@@ Line 2: / Line 2: @@
 You can connect to the servers using the SSH protocol without the need to insert the password every time you connect. The trick is to generate a encripted key that can be used by the systems to recognize yourself and allow your access to local resources.
 This behaviour can be used when you are using the Servers from the Epfl Network, but also when you connect to the server from outside the Epfl.
+===== Setup =====
-===== Ssh without password from local workstation =====
 ==== Generate the public/private ssh key pair  ====
@@ Line 12: / Line 12: @@
   * Execute this command
-  $ ssh-keygen -t dsa
+  $ ssh-keygen -t ed25519
-  * When the system ask a name for the file **id_dsa** just press enter
+  * When the system ask a name for the file **id_ed25519**, just press enter
-  * The system will ask your for a password. This is the password that is used to encrypt your private key file (id_dsa) so that, even if the file gets stolen, it cannot be used. Try to generate a [[strongpass|strong password]].
+  * The system will ask your for a password. This is the password that is used to encrypt your private key file (id_ed25519) so, even if the file gets stolen, it cannot be used. Try to generate a strong password.
-  * Now you have to append the content of your public key file ''~/.ssh/id_dsa.pub'' into the ''~/.ssh/authorized_keys'' on the machines where you want to be able to ssh into (e.g. if you are generating the key pair on your laptop, you might want to add the public key on the cluster lth.epfl.ch):
+  * Now you have to append the content of your public key file ''~/.ssh/id_ed25519.pub'' into the ''~/.ssh/authorized_keys'' on the machines where you want to be able to ssh into (e.g. if you are generating the key pair on your laptop, you might want to add the public key on the cluster lth.epfl.ch):
-  $ cat ~/.ssh/id_dsa.pub | ssh USERNAME@lth.epfl.ch 'cat - >> ~/.ssh/authorized_keys'
+  $ ssh-copy-id <USERNAME>@lth.epfl.ch
   * In our cluster, all the machines have access to the same home directory. Therefore you can use standard local copy:
-  $ cat ~/.ssh/id_dsa.pub >> ~/.ssh/authorized_keys
+  $ cat ~/.ssh/id_ed25519.pub >> ~/.ssh/authorized_keys
-From now, every time you connet to a server, the server will recognize your workstation automatically (it read the ~/.ssh/authorized_keys file everytime you connect) and you can login without bothering with the password.... well almost! Curious? Continue reading.
+From now, every time you connect to a server, the server itself will recognize your workstation automatically (it read the ~/.ssh/authorized_keys file every time you connect) and you can login without bothering with the password.... well almost! Curious? Continue reading.
+In fact, since your private key is encrypted, you need to type the password to decrypt it each time you want to use it. Seems like we have just replaced the "enter remote machine password" with "enter local key encryption password".
 ==== Setup ssh-agent ====
-In fact, since your private key is encrypted, you need to type the password that can decrypt it each time you want to use it. Seems like we didn't gain anything till now.
+Ssh-agent is a program that keeps in memory your decrypted private ssh key and serves it to ssh when it is needed. In this way you only have to type the decryption password only once. Keeping the decrypted key (or the password) in memory is considered safer than letting the key file un-encrypted.
-Ssh-agent is a program that keeps in memory your decrypted private ssh key and serves it to ssh when it is needed. In this way you only have to type the decryption password only once. Keeping the decrypted key (or the password) in memory is considered safer than letting the key file un-encrypted.
+=== On desktop sessions ===
+All modern desktop environment (os X, Gnome, KDE), do take care automatically the ssh key decryption business and you don't have to do anything. Yahoo!
-Let's set it up.
+=== On console ===
+If you are not on a full desktop environment (e.g. if you ssh to a machine from where you want to connect to [several] another machines), then you have to setup the ssh-agent business by hand.
+The two (actually three) steps are
+  * launch ''ssh-agent'' and setup the environment variables accordingly:
+  $ eval `ssh-agent -s`
-==== Apple Os X & Linux ====
+  * ask ''ssh-agent'' to manage your ''id_ed25519'' key (eventually with a lifetime ''-t time_in_seconds'')
-  * Open a terminal emulation window
+  $ ssh-add [-t time_in_seconds] ~/.ssh/id_ed25519
-  * Execute the command
-  $ ssh-keygen -t dsa
+  * before logging out you have to remember to kill the ssh-agent:
-  * When the system ask a name for the file **id_dsa** just press enter
-  * Do the same for the **id_dsa.pub** file
-  * cd in your .ssh directory with
-  $ cd ~/.ssh
-  * Execute this command
-  $ cat id_dsa.pub
+  $ ssh-agent -k
-  * Open another window and from this connect to the public access server **lth.epfl.ch**. login as usual
+Since this is quite cumbersome, I suggest to add the following to your ''~/.bash_profile'':
-  * cd in .ssh directory with
-  $ cd ~/.ssh
+<code>
+# only for interactive shell
+if [ "$PS1" ]; then
+  # run ssh agent if not already running
+  SSHAGENT=/usr/bin/ssh-agent
+  if [ -z "$SSH_AUTH_SOCK" -a -x "$SSHAGENT" ]; then
+    eval `$SSHAGENT -s`
+    alias ssh='ssh-add; unalias ssh; ssh'
+    trap "$SSHAGENT -k" 0
+  fi
+fi
+</code>
-  * Execute the command
+This will start ''ssh-agent'' and add ''ssh-add'' only the first time you try to use ''ssh''. This way you will have to type the password only if you really need to ''ssh''.
-  $ cat >> authorized_keys
-  * Now copy & paste with the mouse the key you have in the first window (something that start with sh-dss AAAAB3NzaC1k....) to the second window.
-  * press the "**Ctrl+d**" key combination to close the **cat** command
-  * Try to connect to **lth.epfl.ch**, this time you can login without inserting the password. If you can't, something is wrong, so you have to recheck all the steps.