====== SSH ====== ===== PUBLIC KEY AUTHENTICATION ===== === SSH AGENT ==== ''ssh-agent'' is a background process that holds your decrypted private keys in memory so you don't have to type the passphrase every time you SSH somewhere. Private SSH keys should be encrypted on disk with a passphrase. Without an agent, every ssh, git pull, scp etc. would prompt you to type that passphrase to decrypt the key. How it works: - Agent starts as a background process, listening on a unix socket. Its path is exported as $SSH_AUTH_SOCK. - You run ssh-add once — passphrase prompt, decrypted key goes into agent memory. - When ssh connects somewhere, it checks $SSH_AUTH_SOCK, asks the agent for available keys, and asks the agent to sign the server's challenge. With agent **forwarding** (ssh -A bastion, or ForwardAgent yes in config), SSH forwards $SSH_AUTH_SOCK from your laptop into the bastion shell. When you then run ssh internal-server from the bastion. === SSH KEYS ==== SSH keeys come in pairs: * //.ssh/id_rsa// - private key * //.ssh/id_rsa.pub// - public key Public key should be copied to servers into //~/.ssh/authorized_keys// (it let's the server authenticate the user). During the client authentication, the client will use its private key, and it will be verified by the public key stored in //~/.ssh/authorized_keys//. Private key is password protected when encrypted. A passphrase is only used to unlock the private key locally and is not transmitted in any form to the remote host. === GENERATING KEYS === This will generate private/public keys in the default directory: $ ssh-keygen -b 4096 # default size is 2048 Files are here: clienthost:~ user$ ls -l .ssh/ | grep id -rw------- 1 user user 1831 Aug 10 20:50 id_rsa -rw-r--r-- 1 user user 407 Aug 10 20:50 id_rsa.pub After public key is copied to remote serve: $ chmod 700 .ssh/ $ chmod 600 ~/.ssh/authorized_keys # paste your public key into this file There is also a simpler way to copy a public key: $ ssh-copy-id pi@192.168.2.73 === SSHD === /etc/ssh/sshd_config: PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys === MANAGING PASSPHRASE === $ ssh-agent $ ssh-add