System Administration: Login using SSH and a public/private keypair

Most system administration guides advise disabling password authentication in favour of key-based authentication. While this is a good base-line, given the poor choices in password selection, there are some occasions where password authentication is essential, but these should be managed with person-specific passwords, minimum password requirements and a range of other essential password management limits.

That aside, once you have created your public/private keypair, you then need to use it.

There are two main ways of using the keypair:
  1. - sending your public key to the administrator of the system; or
  2. - uploading your own public key if you have direct access to the system.

Sending your public key to the system administrator is achieved by way of sending an email or some other form of messaging. There is no level of compromise in the format of the file, so reading it out over a telephone call is not likely a good way of achieving this end.

Uploading your own public key can be done semi-automatically or manually. Manual uploading is the same process that the system administrator will follow:

  1. - Connect to the system using a username/password combination;
  2. - If the ~user/.ssh directory or authorized_keys file don't exist, they will need to be created:
    mkdir ~user/.ssh
    chown user ~user/.ssh
    chmod 600 ~user/.ssh
    touch ~user/.ssh/authorized_keys
    chmod 600 ~user/.ssh/authorized_keys
  3. - Modify the remote user's authorized_keys file using your favourite (vi) editor. This will be in the following format with NO extra whitespace:
    ssh-rsa KeyWithLinesAndSpacesJoined description

We would suggest that you use the former if you have the means:

  1. - On UNIX-based systems, open your favourite terminal program and run the following (user will need to be replaced with your remote username and host will need to be replaced with either the hostname or IP address of the remote system):
    ssh-copy-id -i ~/.ssh/ user@host
  2. - Enter your password.

From this point on, assuming key-based authentication has been enabled on the remote system, you will be able to login to the remote system again without entering your password. You will, however, need to enter the passcode that you used when creating the keypair originally.

You can further secure what can be done by editing the ~/.ssh/authorized_keys on the remote system, specifying what commands the user can execute through the use of the relevant key as follows:
from="username", command="/usr/local/bin/", ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDNGZ9Be...

Share :