User Tools

Site Tools


linux:ssh

This is an old revision of the document!


SSH

PUBLIC KEY AUTHENTICATION

SSH AGENT

ssh-agent is a background process that holds your decrypted private keys in memory so you don't have to type the passphrase every time you SSH somewhere. Private SSH keys should be encrypted on disk with a passphrase. Without an agent, every ssh, git pull, scp etc. would prompt you to type that passphrase to decrypt the key.

How it works:

  1. Agent starts as a background process, listening on a unix socket. Its path is exported as $SSH_AUTH_SOCK.
  2. You run ssh-add <key> once — passphrase prompt, decrypted key goes into agent memory.
  3. When ssh connects somewhere, it checks $SSH_AUTH_SOCK, asks the agent for available keys, and asks the agent to sign the server's challenge.

SSH keeys come in pairs:

  • .ssh/id_rsa - private key
  • .ssh/id_rsa.pub - public key

Public key should be copied to servers into ~/.ssh/authorized_keys (it let's the server authenticate the user).

During the client authentication, the client will use its private key, and it will be verified by the public key stored in ~/.ssh/authorized_keys.

Private key is password protected when encrypted. A passphrase is only used to unlock the private key locally and is not transmitted in any form to the remote host.

GENERATING KEYS

This will generate private/public keys in the default directory:

$ ssh-keygen -b 4096 # default size is 2048

Files are here:

clienthost:~ user$ ls -l .ssh/ | grep id
-rw-------  1 user  user   1831 Aug 10 20:50 id_rsa
-rw-r--r--  1 user  user    407 Aug 10 20:50 id_rsa.pub

After public key is copied to remote serve:

$ chmod 700 .ssh/
$ chmod 600 ~/.ssh/authorized_keys # paste your public key into this file

There is also a simpler way to copy a public key:

$ ssh-copy-id pi@192.168.2.73

SSHD

/etc/ssh/sshd_config:

PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys

MANAGING PASSPHRASE

$ ssh-agent
$ ssh-add
linux/ssh.1779116780.txt.gz · Last modified: by v1ctor