It is not very difficult but every time I want to create and populate an ssh certificate I have to search for it. So I will show how to create and populate an ssh certificate for password less login over ssh.
And if we have a look to man page of ssh (see below), it sounds really simple. Just create your key, copy the key to destination and register in authorized_keys. But how to do that in a simple way?
Steps to do:
- create a key:
eeelin:~$ ssh-keygen #(Don’t enter a password for password less login) - copy the key to remote:
eeelin:~$ cat ~/.ssh/id_rsa.pub | ssh user@host ‘cat >> ~/.ssh/authorized_keys’
To use certificates would be much more secure than use an ssh connection with password. If you use a certificate there is a guarantee it is the owner of this certificate. And if you provide a password while generating the certificate it would improve security again. And you don’t have to remember all the original passwords.
Another reason to use a certificate is, an application which has to connect over ssh. It would be possible just to put the certificate into the application and nobody has to know the password.
“(Don’t enter a password for password less login)” not always be the best idea. Guess what would happen, if someone gets access to your private key file. Also, make sure your private key always is “chmod 600”, so other accounts won’t have any kind of access to it. A key without a passphrase is a bit like placing a password.txt on your hdd.
Providing a passphrase makes sense by default. If you’re using it from your terminal emulator most systems (Gnome=Keyring, OS X=Keychain etc…) will store this passphrase for you so you only need to unlock your Keytore once logged in to the session. Otherwise ssh-agend is your friend.
If you want to execute stuff by cron etc. where a key based auth is used generate a separate key {without a passphrase if absolutely necessary}, authorized only for this particular purpose. Applications like rsync, scp, git… etc provide the option to specify a specific identity file. Most of the time it’s a good idea to chroot those accounts on a target system to minimize access anyway.
Another helpful thing is to generate a ssh config file in {home}/.ssh/config to specify which key/port/user is used to connect… this makes life lot of easier. http://nerderati.com/2011/03/simplify-your-life-with-an-ssh-config-file/ has some good samples. Even git looks up aliases from there.
btw. Copying keys to a remote is most comfortable by using “ssh-copy-id” provided by openssh.
Just my two cents 😉
[…] 12. Configure ssh certificate for password less login – planetgeek.ch […]