job.answiz.com
  • 1
Votes
name
name Punditsdkoslkdosdkoskdo

settings for private key in .ssh folder?

I changed my permissions in my .ssh folder and now when I use a piece of software that uses my private key, I have to type my password each time. What should my permissions be on my id_rsa file to not have to type a password each time I use an app that uses it?

Currently my permissions are set to:

-rw-------@ 1 Jody  staff   114 Nov  4 23:29 config
-rw-------  1 Jody  staff  1743 Oct 21  2009 id_rsa
-rw-------@ 1 Jody  staff   397 Oct 21  2009 id_rsa.pub 
-rw-------@ 1 Jody  staff  3855 Sep 13 22:35 known_hosts

Generate a SSH key (if you don't have one)

If you happen to use GNOME, the seahorse application ("Passwords and Encryption Keys") can do it for you: File -> New -> Secure Shell Key.

If you prefer terminal, run ssh-keygen -t <type> to generate a keypair. Valid keypair types are:

  • rsa: the default
  • dsa: more-or-less equivalent, except restricted to 1024 bit keys
  • ecdsa: same security with smaller keys, but relatively new and somewhat rare in SSH software.
  • ed25519: High security (more resistant to side channel attacks and weak random number generators). Very fast signature generation. Very new. Only available in OpenSSH >= 6.5.

The program will ask you for a passphrase and a location where to save the new key. Using the suggested default path is recommended because all other tools will look for it there.

Upload the public key to the remote server

Again, seahorse can often do that for you - in My Personal Keys, right-click on your SSH key and choose Configure key for secure shell.

Or, ssh-copy-id -i ~/.ssh/id_rsa.pub remote-user@remote-host in the terminal.

Or, completely manually step-by-step:

  1. Create a directory (if it doesn't exist already) named .ssh in the home directory of the remote user on the remote host.
  2. In that directory, create a file named authorized_keys (if it doesn't exist already).
  3. In case your remote umask is more liberal than usual, make the file not group-writable: chmod go-w ~/.ssh ~/.ssh/authorized_keys.
  4. Finally, somehow copy (append) the contents of your local public key(~/.ssh/id_rsa.pub) into the remote ~/.ssh/authorized_keys file.

Load the key into the ssh agent

If you load your private key into a ssh agent, it will hold the decrypted key in memory. We want this to avoid re-entering the password whenever we shell into a server.

First, the agent must be started or the path of a launched communication socket be loaded into a variable. Running ssh-agent on a terminal will generate commands for assigning and setting the agent variables. These commands can be saved in a file for use in a different terminal. Alternatively, one could run these commands and forget about re-using the same agent in another terminal. e.g: eval $(ssh-agent).

Loading the key is a simple matter of executing ssh-add and giving it the pass phrase.

If you are using GNOME, gnome-keyring-daemon usually provides the same SSH agent functionality as ssh-agent, so you should not need to start anything. GNOME will automatically load and unlock the key on login, too.

Shell into the remote server without a password

If everything was done correctly, using ssh user@server will not prompt you for a password. If something is wrong with the agent and not the key, you will be asked to type in the pass phrase for the key, and not the password for the user account.

Anything that uses ssh for communication will work without entering the user account password when the correct key is loaded in the agent. Programs such as scpsftp and rsync make use of this.


Notes:

  • You only need a SSHv2 key, as SSHv1 is very insecure and now unused.
  • You also only need one type of key - either RSA or DSA is enough. (ed25519 and ECDSA are both recent and thus not supported everywhere).
  • All these steps are the same for both RSA and DSA keys. If you use DSA, use id_dsa instead of id_rsa, and ECDSA will have id_ecdsa.
  • OpenSSH servers older than 3.0 used authorized_keys2 - but it is really unlikely you'll find anything older than 5.0 in use.
  • These instructions only apply for OpenSSH version 3.0 and newer. lshssh.com, and other (Unix and not) SSH servers are not included in this tutorial.

Examples:

  • Copying the public key to a remote host:

    ssh-copy-id -i ~/.ssh/id_rsa.pub myaccount@remotehost       # this
    
    cat ~/.ssh/id_rsa.pub | ssh myaccount@remotehost 
          'mkdir -p ~/.ssh ; cat >> ~/.ssh/authorized_keys'     # or this
    
  • Saving agent variables for re-use (elaborate example)
    ssh-agent > ~/.ssh/cross-terminal-agent
    . ~/.ssh/cross-terminal-agent
  • 0
Reply Report

Typically you want the permissions to be:

  • .ssh directory: 700 (drwx------)
  • public key (.pub file): 644 (-rw-r--r--)
  • private key (id_rsa): 600 (-rw-------)
  • lastly your home directory should not be writeable by the group or others (at most 755 (drwxr-xr-x)).

I am assuming that you mean that you have to enter your system/user password each time, and that previously you did not have to. cdhowie's response is assuming you set a password/passphrase when generating your keys, and if you did then as he says you will have to enter your password every time unless you use an ssh agent.

  • 0
Reply Report