12

There are two Linux machines, A and B. Scripts running on A need to be able to SSH into B. So A generates a public key (probably an ssh-keygen-generated id_rsa.pub), and then uses its respective private key (again, probably id_rsa) to make that SSH connection.

If anything I’ve said above is incorrect or misled, please begin by correcting me!

Assuming I’m more or less on target:

  • How does A “give” B its public key (id_rsa.pub)? Does this have to be a manual process, or can it be automated? If manual, what’s the process? If automated, what’s the command? When B "gets" this public key, where does it go or get stored?
  • When initiating the SSH connection to B, how does A “use” its private key (id_rsa) as part of that connection?
user3178622
  • 141
  • 4
  • 3
    Why the downvote sans explanation? It shows research, is an [SSCCE](http://sscce.org), and to my knowledge, is not a duplicate. **If you disagree, and think this is a duplicate, please provide a link to the question you feel it is a duplicate of!** – user3178622 Aug 19 '15 at 15:40
  • While I didn't downvote and don't think this question is bad in any way, perhaps [Information Security](http://security.stackexchange.com/) Stack would be a more suitable place. – MC10 Aug 19 '15 at 15:47
  • 3
    I didn't down vote either, but I understand why someone did. This is a widely used login method, while I agree that Google search results are cluttered with how to make it work, and not how it works articles.. It is possible to find the info your looking for. – Tyson Aug 19 '15 at 15:55
  • @MC10 no it's not for information security it's not really security related – barlop Aug 19 '15 at 16:27
  • 5
    The notion of SSCCE isn't really applicable to questions that aren't about code. – Scott - Слава Україні Aug 19 '15 at 17:25
  • 2
    Not a duplicate but related: https://superuser.com/questions/383732/how-does-ssh-encryption-work. Might answer the second part of the question (how private keys are used) – Jay Aug 19 '15 at 18:27
  • @Scott SSCCE can be applicable to many peoples' questions even when not code. Many people describe computer problems with all sorts of irrelevant rubbish such as "my brother's computer", "I just came back from holiday and this happened". Less absurdly, they may state that they're in a virtual machine - when it's irrelevant. – barlop Aug 20 '15 at 21:15
  • @barlop: I realize that there are good questions and bad questions (with a spectrum of gray between), and I concede that the **S**, **SC** & **C** attributes are among the distinctions.  But I'm having trouble swallowing the **E**.  "There are two Linux machines, A and B" is like "Three speech-capable life forms walk into an establishment that serves intoxicating beverages" — they're not *Examples,* they're generic scenarios.  To be clear: I have no problem with the *question*, but the comment saying that it "is an SSCCE" is like saying that it is colorless and green. – Scott - Слава Україні Aug 21 '15 at 04:09
  • @Scott technically, C and E don't apply, because they specify Code. (though his Short also specifies code just slightly less prominently). But C and E still directly apply. C meaning is it correct, does our mind parse what he has written and say Yes, that makes sense. It compiles.. and E , well colloquially, E - example, includes a generic scenario, and a generic scenario is a perfect example because it's short. So just as you agree with C (correct,compiles) it compiles in our minds, so too, E, example the example is fine for the human mind. – barlop Aug 21 '15 at 08:26
  • @Scott though granted, with Code, S and SC C and E would generally include code. But theer's no doubt that giving an example is something that applies to asking a non-code question too. (and sometimes a completely compilable example isn't necessary.. like here he could've tried to break it down re command line examples but it wasn't necessary. If his english was bad and he could only talk command line - what he runs, what he expects, what he gets, then it would've been necessary). – barlop Aug 21 '15 at 08:31

2 Answers2

5

ssh-keygen generates both the public and private keys, which initially reside only locally. Giving the public key to another host is something that the user would need to manually do, either by sending it to someone responsible for server B, or if you have an account with a password, you could log in and put it there yourself. In order to allow passwordless login to server B, you would need to add your public key to the ~/.ssh/authorized_keys file on server B (one public key per line, there can be any number of keys in this file). There is a linux command ssh-copy-id that will copy the ID for you and put it in the file.

By default, ssh will use the file ~/.ssh/id_XXX as your private key. XXX can be rsa, dsa, or any protocol for which a key was generated. IIRC, dsa is old and shouldn't be used. If you want to use a different private key, you can specify it in your ssh command using -i. As long as the private key being used matches a public key on the remote machine (in the authorized_keys file for the user's account which you are logging in to), then you will not need to supply a password.

BamaPookie
  • 166
  • 3
  • Thanks @BamaPookie - a few followups: (1) when `ssh-keygen` is ran, you mention that the two keys "reside only locally"? **Where?!?** As in, what folder can I navigate to and see `id_rsa.pub` and `id_rsa`? (2) I thought `ssh-add` was the command for adding a public key to `authorized_keys`, no? What's the difference between `ssh-copy-id` and `ssh-add`? Thanks again! – user3178622 Aug 19 '15 at 16:26
  • 2
    @user3178622 re '1' I don't have it in front of me but it looks like `~/.ssh/id_rsa` re '2', ssh-add isn't for adding to authorized_keys, it's for adding to a keychain.. I haven't used ssh-add though. ssh-add is to do with enabling you to not have to enter a keyphrase every time you use a key that requires a keyphrase. So if your ssh keys don't require a keyphrase then I guess there isn't any reason to use ssh-add and I think you'd still need to use ssh-copy-id or to do the manual copying the public key into authorized_keys – barlop Aug 19 '15 at 16:28
  • 2
    ssh-keygen will ask you where to save the file, but the default location is in ~/.ssh/ ssh-copy-id copies the public key to a remote host. ssh-add adds a private key to your local keyring. Adding a private key to your local keyring means that it will be checked by default when attempting an ssh connection (that is, without having to specify it with -i). – BamaPookie Aug 19 '15 at 17:28
  • 1
    @BamaPookie Where you write "Adding a private key to your local keyring means that it will be checked by default when attempting an ssh connection (that is, without having to specify it with -i). " <--- It's worth clarifying that I think you mean it changes the default private key that is chosen, so that instead of it being id_rsa, it's from the keyring. (Of course, without ssh-add you still don't have to specify a private key with -i, it will still have a default, just a different default). – barlop Aug 19 '15 at 19:56
3

There are two Linux machines, A and B. Scripts running on A need to be able to SSH into B. So A generates a public key (probably an ssh-keygen-generated id_rsa.pub), and then uses its respective private key (again, probably id_rsa) to make that SSH connection.

If anything I’ve said above is incorrect or misled, please begin by correcting me!

Assuming I’m more or less on target:

yeah

but B needs A's public key to be listed in B's authorized_keys file in order for A to be able to connect to B

also you can delete id_rsa.pub and ssh to B and it will still work, because the public key is generated fresh with each ssh connection and not stored in any id_rsa.pub

How does A “give” B its public key (id_rsa.pub)? Does this have to be a manual process, or can it be automated? If manual, what’s the process? If automated, what’s the command?

manual- something like

from A-

cat ~/.ssh/id_rsa.pub | ssh USER@HOST "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"

or even more manually, to break the command down

A$ cat id_rsa.pub | ssh user@host 'cat>~/a.a'

then on B, make sure ~/.ssh exists then do cat a.a >> ~/.ssh/authorized_keys

and you can cat authorized_keys of B before and after to make sure the key is listed.

Or you could email id_rsa.pub to an email account, then from B, B can check the email and append the contents of id_rsa.pub into his authorized_keys file

automatically

The ssh-copy-id command

You need to be able to ssh in, so you need password access

Instead of doing ssh user@host you do ssh-copy-id user@host and you are prompted for a password, you enter it, you're in, it will copy the public key over. And next time you do ssh user@host it will use the key.

When B "gets" this public key, where does it go or get stored?

B's ~/.ssh/authorized_keys

When initiating the SSH connection to B, how does A “use” its private key (id_rsa) as part of that connection?

well, I don't know much about that, off the top of my head, but whatever is encrypted with one key can be decrypted with the other key, and identifying yourself is a bit different to sending data.. and there may be something about a temporary key too.

barlop
  • 23,380
  • 43
  • 145
  • 225