Flashes of Panic: Using one key for a lot of servers

If you’re at all like me (let’s hope not) you have too many passwords to cope with. I can’t help with websites, but I don’t think there’s been a time in the past five years when I haven’t had at least two different servers to log in to, sometimes more like four or five. There’s no way I’m going to remember all those passwords, and I don’t try. Instead, I put an RSA public key on each server, and keep the private key here on my Mac. When I ssh to those servers, I get prompted for the private key’s passphrase, then I’m logged in. Same “password” every time. When I get access to a new system (CS department servers, web servers for former places of work, research cluster, Common Kitchen web server or development server) the first thing I do is upload my public key. The second thing I do is stop trying to remember the password.

I realized that I’ve described this process to several other people now, (and even mentioned it here before) and haven’t bothered to save the writeup anywhere public, so here it is if it’s useful to you.

The command to generate a key pair (this is asymmetric encryption) is

$ ssh-keygen -t rsa

You’ll be prompted for a destination for the files (your ~/.ssh directory is best, since that’s where the ssh client will look for the private key) and a passphrase, which you’ll need to confirm. Then you’ll have two files, one with a .pub extension. (The default names are id_rsa and id_rsa.pub.) That’s the public key, which you’ll be uploading to any servers you wish to log in to.

(Note that you can create a passwordless login this way, if you’re confident enough about the security of your private key; it’s not advisable. I’ve used that, however, to allow scripts access to a remote server, e.g. with scp.)

Once you upload the public key to the target server, it should go in a directory named .ssh in your home directory, and be renamed authorized_keys (or appended to the existing authorized_keys file):

$ mkdir ~/.ssh
$ chmod 700 ~/.ssh
$ mv id_rsa.pub ~/.ssh/authorized_keys
# or $ cat id_rsa.pub >> ~/.ssh/authorized_keys
$ chmod 600 ~/.ssh/authorized_keys

Now when you log in, it should prompt for a passphrase, not a password, and because the passphrase is associated with your private key, not your public key or even this account, it’s the same on all servers which have your public key in authorized_keys. I think this is really cool, but I suppose I’m a specialized case.

Now Playing: If I Wrote You from Out There Live by Dar Williams

January 2008
Sun	Mon	Tue	Wed	Thu	Fri	Sat
		1	2	3	4	5
6	7	8	9	10	11	12
13	14	15	16	17	18	19
20	21	22	23	24	25	26
27	28	29	30	31

January 2008

Sun

Mon

Tue

Wed

Thu

Fri

Sat

Comments

Like FoP, I started using authorized_keys for the convenience of remembering a single password. Then I got really lazy and started using ssh-agent to keep my passphrase in memory so I only had to type it once per terminal session. My laziness led to downright sluggishness. Now I use the keychain script to manage ssh-agent pids so I only need to type in my password once per login session. It is handy. In a nutshell, it makes sure only one ssh-agent is running on your system per user at a time, even when you start a new terminal. This means you only have to type your passphrase once per system login.

sudo port install keychain
Add the following to your .bash_profile:

/opt/local/bin/keychain ~/.ssh/id_dsa /dev/null source ~/.keychain/${HOSTNAME}-sh > /dev/null

Posted by: BH | July 29, 2007 10:09 AM

Flashes of Panic

Using one key for a lot of servers

Comments

Post a comment

Find Panic

Recent Panic

Categories of Panic

Old Panic

On this day in 2006:

On this day in 2005:

On this day in 2004: