This is an old revision of the document!
SSH
PUBLIC KEY AUTHENTICATION
SSH AGENT
ssh-agent is a background process that holds your decrypted private keys in memory so you don't have to type the passphrase every time you SSH somewhere. Private SSH keys should be encrypted on disk with a passphrase. Without an agent, every ssh, git pull, scp etc. would prompt you to type that passphrase to decrypt the key.
How it works:
- Agent starts as a background process, listening on a unix socket. Its path is exported as $SSH_AUTH_SOCK.
- You run ssh-add <key> once — passphrase prompt, decrypted key goes into agent memory.
- When ssh connects somewhere, it checks $SSH_AUTH_SOCK, asks the agent for available keys, and asks the agent to sign the server's challenge.
SSH keeys come in pairs:
- .ssh/id_rsa - private key
- .ssh/id_rsa.pub - public key
Public key should be copied to servers into ~/.ssh/authorized_keys (it let's the server authenticate the user).
During the client authentication, the client will use its private key, and it will be verified by the public key stored in ~/.ssh/authorized_keys.
Private key is password protected when encrypted. A passphrase is only used to unlock the private key locally and is not transmitted in any form to the remote host.
GENERATING KEYS
This will generate private/public keys in the default directory:
$ ssh-keygen -b 4096 # default size is 2048
Files are here:
clienthost:~ user$ ls -l .ssh/ | grep id -rw------- 1 user user 1831 Aug 10 20:50 id_rsa -rw-r--r-- 1 user user 407 Aug 10 20:50 id_rsa.pub
After public key is copied to remote serve:
$ chmod 700 .ssh/ $ chmod 600 ~/.ssh/authorized_keys # paste your public key into this file
There is also a simpler way to copy a public key:
$ ssh-copy-id pi@192.168.2.73
SSHD
/etc/ssh/sshd_config:
PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys
MANAGING PASSPHRASE
$ ssh-agent $ ssh-add
