2

I know that if I want to configure SSH access for key authentication, I need to use the following command:

ssh-keygen -b 2048 -t rsa -C “mypassphrase”

I then need to copy the codes created in id_rsa.pub on my computer to the server's ~/.ssh/authorized_keys file. I also need to set permissions on some folder and file. This enables key authentication for my computer. Now, I would also like to know how I should enable such access on yet another computer. Do I have to add the created codes in id_rsa.pub to the same ~/.ssh/authorized_keys file?

Thanks for your help.

ajax20
  • 110
  • 1
  • 1
  • 6

3 Answers3

4

Uhm... this is not a good idea, why would you use your pass phrase as comment (-C option)?

Just use ssh-keygen -b 2048 -t rsa.

You don't need to set any permissions by default. You create the key as the user you want to have login on the remote machine and then:

cat ~/.ssh/id_rsa.pub | ssh user@server 'cat - >> ~/.ssh/authorized_keys'

To get the key from your pub-file and add it to the authorized keys on the remote site.

However if you are trying to have key access as root on the remote machine where root via password is disabled you will first have to copy that the id_rsa.pub to the machine with a user account enabled for password authentication via ssh or simply with a USB stick and then do (as root from the folder where id_rsa.pub is located) cat id_rsa.pub >> /root/.ssh/authorized keys.

Make sure the .ssh folder is present.

Edit: after creating the key better use ssh-copy-id as @SvW suggested. My way works, too but is the manual way of doing it before ssh-copy-id was introduced.

Broco
  • 1,999
  • 13
  • 21
  • Thanks. I just followed the tutorial here: http://kb.solarvps.com/centos/how-to-configure-ssh-access-for-key-authentication-only-on-your-centos-ssh-server/ – ajax20 Aug 13 '14 at 21:24
  • The `-` in your `cat` command is redundant. – kasperd Aug 13 '14 at 21:25
  • @kasperd ye I know but I alsways write down stdin even if it's the default input. It's a habit I developed during massive cloning sessions of Windows installations with netcat and ntfsclone. – Broco Aug 13 '14 at 21:31
  • @Broco Thanks again! I also needed to change file permission: chmod 600 /home/username/.ssh/authorized_key and the .ssh folder's permission should also be set to 700. Of course, as you see, I am using the ssh key for non-root user. – ajax20 Aug 13 '14 at 21:49
3

You can use the public key for as many clients as you want.

Adding the file to the remote host is easy with ssh-copy-id: 

ssh-copy-id -i /path/to/id_rsa.pub user@host

Edit: Should you mean that you want to access the remote host from another computer, you would have to copy the private key file to this machine (but never to the remote machine you want to connect to).

Sven
  • 98,649
  • 14
  • 180
  • 226
  • 1
    I forgot about copy-id... Got so used to doing it the old way. Maybe I got something else wrong, too: Isn't -C the option for Comment? He just writes his passphrase into the comment, doesn't he? – Broco Aug 13 '14 at 21:01
  • @Broco: Yes, you are right with this. See `man ssh-keygen`. – Sven Aug 13 '14 at 21:03
  • Copying the private key to multiple hosts is not always the best solution. Sometimes it is better to create a private key on each individual host, and put all the public keys into `authorized_keys`. – kasperd Aug 13 '14 at 21:27
0

It's would be best to have them create their own rsa/dsa keys (or you can do it for them and sent the keys to them), and add the pub key to the authorized_keys file. i.e. cat new_rsa_id.pub >> authorized_keys. Each line in the authorized keys relates to a id_rsa key.

Also, the passphrase is optional. I always find it to be an annoyance unless company security policy requires it.

If I understand you correctly, you want to use the auth key on another computer to access the server. In that case, simply copy the id_rsa key to the computer you want to use it on. It will work regardless of what system the key resides on (client side).

Satalink
  • 188
  • 1
  • 7
  • In general, it's an extremely bad idea to not have a password-protected private key, because if someone manage to get this file, he has access to every system that uses this key pair. If you use an SSH agent, you have to only enter your passphrase once a day, making this nearly as convenient as without a passphrase. – Sven Aug 13 '14 at 21:13
  • @SvW If the home directory is encrypted, it may be OK to not have another level of encryption. Personally I have one key encrypted by the file system, which I use for the not so important logins. I have another key for root logins, which is encrypted by `ssh-keygen` and gets loaded into an `ssh-agent` before I use it. – kasperd Aug 13 '14 at 21:31
  • actually, the REQUIRED permissions of the authkeys would make it impossible to copy unless they have authenticated as the user. – Satalink Aug 13 '14 at 21:50