OpenSSH is included in OS X and allows admins full access to all levels of a machine’s OS. However, you have to type in a password for every connection, which can be tiresome when you need to connect to 20 client machines!
Thankfully, we can avoid all this typing through a private/public key system. There is an article on creating the necessary keys on the OpenSSH website, which is easy to follow. I’m going to run through and OS X centric implementation here.
First off we need to decide what we are connecting to and which account we will use to authenticate. For this example we’ll access a machine called “target” as the user “admin”.
We need to be working in your home folder on your machine to start with.
Open Terminal. You’ll probably be in your home folder already. If not run
cdNow we’ll make sure out ~/.ssh directory exists, cd in to it and create our public key
mkdir ~/.ssh && cd ~/.ssh ssh-keygen -q -f ~/.ssh/id_rsa -t rsa
You’ll be asked for a passphrase at this point. Make sure it’s very, very secure! I’ve made a couple of scripts that will generate passwords, which you can find in my password generation post.
You can also get passwords generated for you online at https://www.grc.com/passwords.htm or use Apple’s built-in password generator accessible via the change password sheet in the Account preference pane.
There are lots of dashboard widgets and pieces of software designed to generate passwords for you. Check out Google for a look at what’s available.
Once you’ve decided on your very secure password and typed/pasted it in (very naughty!!) you’ll have an id_rsa and id_rsa.pub file in ~/.ssh. The public file (id_rsa.pub) needs to be uploaded to “target”. This can be done using scp.
scp ~/.ssh/id_rsa.pub admin@target:/Users/admin
The “admin@target:/Users/admin” portion will obviously need to be changed to match your remote machine. You need to use your “admin” username before the at symbol, you can use an IP address or hostname to refer to your “target” machine and put the file anywhere you want, I just tend to dump it in the “admin” user’s home folder.
So, if you want to dump the id_rsa.pub file in “superuser’s” home folder on a machine accessible via client1.domain.co.uk you’d enter
scp ~/.ssh/id_rsa.pub superuser@client1.domain.co.uk:/Users/superuser
You need to have SSH enabled for scp to work! You’ll be asked for your SSH password once you try to transfer the file.
Now that the file’s uploaded we’ll SSH in using the existing SSH password, not the one we used to generate our id_rsa files. Once connected we append the public key information to ~/.ssh/authorized_keys and change permissions to make everything slightly more secure.
1 2 3 4 5 | mkdir ~/.ssh ~/id_rsa.pub >> ~/.ssh/authorized_keys rm ~/.id_rsa.pub chmod 700 ~/.ssh chmod 600 ~/.authorized_keys |
Now we have the contents of our id_rsa.pub file appended to the ~/.ssh/authorized_keys file. We’ve also changed permissions so only our “admin” user has any sort of access to ~/.ssh.
Now we can disconnect from “target” and test our public key connection using
ssh -o PreferredAuthentications=publickey target
OS X will notice that we need to supply a password here, which is the password we used to generate our id_rsa files. This can be saved in to our Keychain so we never need to type it again!
If everything has worked as expected we’ll be connected to our “target” machine and any ssh connections from now on will be passwordless.
I’ve added an alias in my ~/.bash_profile so I can ssh with out all of the required arguments. The alias I use is below.
alias targetssh='ssh -o PreferredAuthentications=publickey target'
0 Responses to “OpenSSH Keys”
Leave a Reply