generate authentication key for ssh

(1) I use the following commands on computer A to generate authentication key for ssh from computer A to computer B

ssh-keygen -t rsa
scp ~/.ssh/id_rsa.pub B:.ssh/authorized_keys2

(a) if further generate authentication key for ssh from computer A to computer C, how will you do it? is it a good way to simply use the same ~/.ssh/id_rsa.pub for A to B i.e.

scp ~/.ssh/id_rsa.pub C:.ssh/authorized_keys2

(b) if further generate authentication key for ssh from computer B to computer D, is it correct to repeat the commands for A to B on B?

ssh-keygen -t rsa
scp ~/.ssh/id_rsa.pub D:.ssh/authorized_keys2

(2) There seems to be another method for A to B:

ssh-keygen
ssh-copy-id -i ~/.ssh/id_rsa.pub B

what's the difference between (2) and (1)? What will you do if use the commands of (2) in the cases (a) and (b) of (1), especially (b)?

Thanks and regards!

Tim

Posted 2009-10-27T00:40:24.937

Reputation: 12 647

Answers

I use method 1 and copy my public key to all the servers I want access to (using that key). The public key provides no way of identifying the other places it might be distributed to, and if you start using multiple keys for multiple hosts you are trying to access, you are just going to create a management nightmare for yourself.

Just make sure you keep your private key private and secured with a passphrase.

Zak

Posted 2009-10-27T00:40:24.937

Reputation: 230

Thanks! I forgot to add passphrase when "ssh-keygen -t rsa". Anyway to add it later? – Tim – 2009-10-27T01:02:49.033

from "man ssh-keygen"

 -p      Requests changing the passphrase of a private key file instead of creating a new private key.  The program will prompt for the file containing the private key, for the old
         passphrase, and twice for the new passphrase.

 -N new_passphrase
         Provides the new passphrase.

 -P passphrase
         Provides the (old) passphrase.
 – Zak  – 2009-10-27T01:06:28.207

Thanks again! I forgot to ask if I further need to generate authentication keys for ssh from Computer E to Computer B, how to prevent overwriting the files .ssh/authorized_keys2 on B for A to B? And if for another computer F to B? – Tim – 2009-10-27T01:36:28.377

If you have access to the 'ssh-copy-id' command, this is a nice way to initially set up SSH Auth. from the source host. The ssh-copy-id script simply takes your Public key, copies it over to the remote host, to the file ~/.ssh/authorized_keys. It also makes sure the directory ~/.ssh exists, and has the mode set to 700 (go-rwx).

If you're going to set up a simple SSH Auth Chain between several machines like you describe above, you actually could use the same key for all machines. A simple recipe for this would be this:

Generate 1024 bit DSA key (could also be RSA, but then 2048 bit or more)

A ~# ssh-keygen -t dsa

Distribute the public key to the other 3 hosts. Here you will be presented with normal login to the user@B, user@C and user@D

A ~# ssh-copy-id -i .ssh/id_dsa.pub user@B
A ~# ssh-copy-id -i .ssh/id_dsa.pub user@C
A ~# ssh-copy-id -i .ssh/id_dsa.pub user@D

After id is copied you may distribute the private key (!) to the other hosts. This will actually enable you to logon to host A directly from B, or from D to C etc. as they all share the same key, and all have the same authorized_keys.

A ~# scp -p .ssh/id_dsa user@B:~/.ssh/
A ~# scp -p .ssh/id_dsa user@C:~/.ssh/
A ~# scp -p .ssh/id_dsa user@D:~/.ssh/

The final task is to rename the public key on host A, so that host A also has an authorized_keys and can allow login from hosts B, C and D.

A ~# mv .ssh/id_dsa.pub .ssh/authorized_keys

Now you should be able to move between or copy data between all the 4 hosts, using the same key, bypassing the Login-user-password challenge. Depending on weather you generated the key without password, that is...

Sverre Marvik

Posted 2009-10-27T00:40:24.937

Reputation: 361