Using SSH keys to log in like a boss

If you are logging in remotely, chances are you are using ssh to do it. Under Windows, you may be using some GUI program like Putty and under Linux/OSX/whatever you are probably just using the ssh command.

Work with the plain SSH command comfortably

First off, did you know you can configure ssh? If you create a config file called ~/.ssh/config (that is, a file called config, inside the .ssh directory in your home directory) you can list the servers you connect to frequently, give them cute nicknames and set things like the default username so you can forgo a lot of typing in the future. Here’s my ~/.ssh/config for example:

Host nsa
	User root

Host giraffe
	User rodin

Host work
	User vanvl1

With this config, I can just type ssh giraffe to access my home network, which has an annoyingly long assigned hostname.

However, I still have to type my password every. single. time. Since I tend to use long passphrases (and you should too!) this gets annoying fast. And actually, passwords alone aren’t that secure to begin with.

Generating a private/public key pair

Some cryptography geniuses figured out a better way to do logins. You generate two keys, which are basically very long passwords stored in a file. The first key is the private key, which is like the PIN number on your bank card: you keep it safe! The second key is the public key, which is like your bank account number: you can give it out to anyone, so they can allow you to login to their system. This doesn’t work the other way round: someone with your public key cannot login into your system. By seeding the systems you frequently connect to with your public key, you can quickly hop between them, without having to enter your password/passphrase every time.

On Linux/OSX/whatever, generating the private/public key pair is as simple as typing:

$ ssh-keygen

and following the instructions on the screen. On Windows, you can use PuttyGen to generate your keys (click here for a guide). You can generally just press enter to accept the defaults. There is one field, however, that requires some thought: the password field.

Wait, wasn’t the whole point of the keys to get rid of the passwords? Well, you can leave the password field empty and you will never be prompted to enter a password when you use the key. But think about it for a second. This means that anyone that is sitting behind your computer can also log in to the remote systems without having to type any password. Even worse, if they manage to copy your private key somehow, they can freely use it to impersonate you. So, unless you completely trust the computer you’re working on and any coworkers/roommates you have, go ahead and give your key a nice, strong, passphrase.

Protecting your private key with a password doesn’t mean you have to enter it every. single. time. though. With most modern systems like OSX, Gnome or KDE, you only have to enter your passphrase once to unlock the key. Once it is unlocked, you can keep on using it without having to re-enter the password, until you shut down your own computer.

If you’ve followed the defaults, there should be two new files in your ~/.ssh directory: id_rsa (your private key) and (your public key). In order to seed a remote system, so you can log in using your private key, use the ssh-copy-id command:

$ ssh-copy-id <remote>

(replace ‘<remote>‘ with the actual hostname of the remote machine).

Now, you should be able to log in to the remote machine using your private key! In my case, I can now log into my home network just by typing:

$ ssh giraffe

It’s even better when I copy files between systems. I can just type:

$ scp file.txt giraffe:

and it works! This really smooths out the workflow when dealing with remote systems.

For those using a non-standard system: ssh-agent

If you find that you have to type in the password for your private key every time you log on to a remote system, it means there’s currently no clever program in the background keeping track of your unlocked key. A simple program that does this is ssh-agent. To make this start whenever you use a terminal, add this line to your ~/.bashrc file (if you use some other shell instead of bash, you probably know where to put it instead):

eval `ssh-agent`

Would you like to know more?