SSH keys

First, an example of SSH keys where the private key is kept on the host ares and the public key is kept on the host bob. The user account g0 exists on both hosts.

Create the SSH DSA key pair on ares and copy the public key on bob.
g0@ares:~$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/g0/.ssh/id_dsa): 
Created directory '/home/g0/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/g0/.ssh/id_dsa.
Your public key has been saved in /home/g0/.ssh/id_dsa.pub.
The key fingerprint is:
88:5a:f3:75:ed:c3:92:ed:04:a0:bf:bc:d7:e9:7c:68 g0@ares
The key's randomart image is:
+--[ DSA 1024]----+
|                 |
|                 |
|        .        |
|     . o . .     |
|    + o S o .    |
|   o + o . =     |
|  .   . . oo*.   |
|       . +E*+.   |
|        ++ o+    |
+-----------------+

g0@ares:~$ ls -a .ssh
.  ..  id_dsa  id_dsa.pub
g0@ares:~$ scp ~/.ssh/id_dsa.pub bob:~/.ssh/authorized_keys2 
g0@bob 's password:  
id_dsa.pub                               


Since g0 is sharing this box with the rest of the noc he needs to make sure that the rest of the simple users cannot read his private key.
g0@ares:~$ ls -l .ssh/id_dsa
-rw------- 1 g0 g0 736 2011-11-06 11:12 .ssh/id_dsa
OK, cool. For similar reasons g0 's .ssh directory on bob does not need to be writable by anyone else.

Now we can start the ssh-agent.
The ssh-agent will use g0's private key to authenticate as g0@bob for the rest of this login session.
g0@ares:~$ ssh-agent sh -c 'ssh-add /home/g0/.ssh/id_dsa && bash'
Enter passphrase for /home/g0/.ssh/id_dsa:
Identity added: /home/g0/.ssh/id_dsa (/home/g0/.ssh/id_dsa)
g0@ares:~$ssh bob
Welcome to Bob

g0@bob:~$exit
Connection to bob closed.

g0@ares:~$ssh bob
Welcome to Bob

g0@bob:~$
exit
Connection to bob closed.
g0@ares:~$


Aften entering the passphrase for the private key g0 can ssh to bob with no password for the rest of this login session or until he kills the ssh-agent.
The ssh-agent runs on the background managing the private key(s) (identities) of g0 and its Process ID is accessible through an environment variable.
g0@ares:~$ ps fuax |grep ssh-agent|grep -v grep
g0 23903  0.0  0.0  11936   612 ?        Ss   12:44   0:00                  \_ ssh-agent sh -c ssh-add /home/g0/.ssh/id_dsa && bash
g@ares:~$ echo $SSH_AGENT_PID
23903


ssh-add can be used to list the identities currently held by ssh-agent.
g0@ares:~$ ssh-add -ls
1024 88:5a:f3:75:ed:c3:32:ed:04:a0:bf:bc:d7:e9:7c:68 /home/g0/.ssh/id_dsa (DSA)


To kill the ssh-agent --disable passwordless ssh and scp to bob on this login session.
g0@ares:~$ ssh-agent -k 
unset SSH_AUTH_SOCK;
unset SSH_AGENT_PID;
echo Agent pid 23903 killed;
g0@ares:~$


If we need to automate some ssh or scp task we could use Expect, or Expect.pm with Perl, or not enter a passphrase when we generate the key pair, or generate a single purpose key pair with no passphrase.

To create a single purpose key we generate a rsa key pair without entering a passphrase.
g0@ares:~$ ssh-keygen -t rsa -b 4098 -f .ssh/jw
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in .ssh/jw.
Your public key has been saved in .ssh/jw.pub.
The key fingerprint is:
f2:2c:6a:b2:9a:14:f6:f9:95:b8:7f:02:ee:80:6a:dc g0@ares
The key's randomart image is:
+--[ RSA 4098]----+
|                 |
|                 |
|                 |
|                 |
| o    . S        |
|. + ...+.        |
|.o.+..ooo        |
|o+.E+ooo .       |
|=..+o+..o        |
+-----------------+


Then we prepend the purpose (command) and some ssh options on a the public key .
In order to create a custom key that enables him to run just w on bob g0 will do the following.
g0@ares:~$ echo -n "command=\"/usr/bin/w\",no-agent-forwarding,no-port-forwarding,no-X11-forwarding,no-user-rc " > tmp
g0@ares:~$ cat .ssh/jw.pub >> tmp
Cool now g0 has on tmp the command w,some ssh options,and a public key.

Since, this is an RSA key he will need append it to the .ssh/authorized_keys on bob.
g0@ares:~$ cat tmp|ssh -p 9999 ipduh.com 'sh -c "cat - >>~/.ssh/authorized_keys"'
Enter passphrase for key '/home/g0/.ssh/id_dsa': 


g0 had to use the id_dsa passphrase since he did not have ssh-agent running.

Now, let's look w on bob from ares.
g0@ares:~$ ssh -i .ssh/jw bob
 19:18:17 up 194 days,  6:21,  1 user,  load average: 1.15, 1.05, 1.01
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
g0       pts/0     ares            19:18    0.00s  0.01s  0.01s /usr/bin/w
Connection to bob closed.

g0 just had to set the identity --key he is going to use.



SSH keys