What Is SSH?

SSH is the Secure Shell protocol, which is a way for two computers to talk to one another without anybody being able to decode what is being said even if the interloper were able to access the raw network communications between the two computers. This is similar to the way web browsers use SSL (Secure Sockets Layer) to talk with e-commerce and other secure websites.

SSH is mostly used for shell access (typing commands for a remote server to execute) and for authenticating SFTP (Secure FTP), which allows downloading and uploading files to and from remote computers.

Password Annoyances

Usually, you’ll type in a username and password to authenticate yourself to the remote computer. But that gets boring real quick. Often you’ll be tempted to set an easy password, just to make it easier to type in again and again. Yet that’ll obviously decrease your security.

Add in the fact that many SSH clients tend to get stuck or boot you out if you don’t continuously use the connection, and that means plenty of password-retyping.

Solution: SSH Public Keys

The answer is SSH public-key based encryption. Public-key based encryption relies on two pieces of information: One, a secret and private key which you keep in a secure location (i.e., your home directory), and the other, a public key which you place anywhere you want to log in to.

The key is actually a long number, but it’s usually expressed as a series of number and letters when written to your hard drive.

I won’t go into the details of public/private key encryption here, but let it suffice to say that the remote server, encrypts a some data with your public key. The only way to decrypt that data would be if you had the private key, which your local computer does. After it does the decryption, the remote computer is able to trust that you are really you.

Passwordless Login

OK, since the only thing you need to log in to a remote computer is a private key, you don’t need to enter the password associated with your remote username. Hence, you’ve achieved passwordless login.

Now, since the private key can be used to log in to any one of your remote accounts, you might want to protect it. You can specify what is called a “passphrase” for it at the time your create your private key. That might seem slightly paradoxical, since having to enter a passphrase for your private key instead of a password for your remote server doesn’t seem like an improvement.

There are ways to have a passphrase, and also not have to enter it in again and again, but that’ll be the subject of another post. For now, anyway, if your personal computer is secure, and you want things to be easy, just don’t specify a passphrase.

Creating a Private Key

To start using SSH public key encryption, you need to create a private key.

Note: be sure SSH is installed for your operating system. It will usually be installed by default on Ubuntu (and just about any other Linux/Unix based system).

To create a private key, use the ssh-keygen program. Type ssh-keygen in a terminal:

js@buntu910wd:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/js/.ssh/id_rsa):

When prompted for which file you want to save the key in, just press Enter for the default.

If you want to have passwordless logins, don’t enter a passphrase when prompted. Just press Enter twice:

Enter passphrase (empty for no passphrase):
Enter same passphrase again:

ssh-keygen creates the key and then tells you where it saved it:

Your identification has been saved in /home/js/.ssh/id_rsa.
Your public key has been saved in /home/js/.ssh/id_rsa.pub.

Your public and private keys are saved in a hidden folder called .ssh in your home directory. The ssh-keygen program sets permissions to allow only yourself to read the private key, but if you want to be sure, just do an ls -l:

js@buntu910wd:~/.ssh$ ls -l
total 12
-rw------- 1 js js 1675 2009-12-25 16:29 id_rsa
-rw-r--r-- 1 js js  395 2009-12-25 16:29 id_rsa.pub
-rw-r--r-- 1 js js 2210 2009-11-27 19:07 known_hosts

Note: id_rsa is the private key. Guard it well. If someone is able to copy that key, he will be able to log in to any of your remote accounts.

id_rsa.pub is the public key. No one can log in to your remote accounts just by having your public key, but there’s no reason to spread it around, either.

Installing the Public Key

To use your public and private keys, you have to install the public key on each remote server you want to access without a password.

The way that SSH works by default, it looks for public keys in a file called authorized_keys in the .ssh directory. The public keys are are just long sequences of text in a single line.

You can have more than one key in an authorized_keys file (for yourself, or to allow others to log on).

If you’re setting up SSH keys for the first time, you probably won’t have an authorized_keys file on your remote server. So you can just copy the file that contains the public key to a new file calle authorized_keys:

cp .ssh/id_rsa.pub ~/authorized_keys

Then upload the authorized_keys file to the remote computer’s .ssh directory. If you don’t have a .ssh directory on the remote computer, create one:

mkdir ~/.ssh

Important: Be sure you upload your public key, and not the private key. The public key has a “.pub” file extension.

Then, set the permissions on the authorized_keys file to allow only your account access to the file:

chmod 600 ~/.ssh/authorized_keys

Log in Without a Password

Now go to a terminal and log in to your account:

ssh johnsmith@example.com

If all goes well, ssh shouldn’t ask you for your password, like so:

js@buntu910wd:~$ ssh johnsmith@example.com
johnsmith@example.com's password:

Since sftp uses the same authentication mechanism as ssh, you can use the sftp program without passwords, as well.

Summary

1. Create a private/public key pair with ssh-keygen.
2. Copy the id_rsa.pub file to authorized_keys.
3. Upload the authorized_keys file to the .ssh directory in your home folder on the remote server.
4. Set permissions to only allow your user to access the key files.

Related posts:

1. Dreamhost Problems Status RSS
2. How to Manually Add Hosts in Windows, Linux, and OS/X
3. Ubuntu Karmic Koala 9.10 Is Out