Computer Documentation Wiki

User Tools

Site Tools

Trace: users
services:2fa:ssh:linux

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
services:2fa:ssh:linux [2021/03/22 11:18] – created deulservices:2fa:ssh:linux [2025/08/20 10:44] (current) – fix typos, emphasize security of private key jansen
Line 1: Line 1:
 ======Setup Linux ssh for key based login====== ======Setup Linux ssh for key based login======
  
-We need to create a private/public key set to allow passwordless login via ssh. To do this run the sshkey-ge command:+We need to create a private/public key set to allow passwordless login via ssh. To do this run the sshkey-gen command:
  
   $ ssh-keygen -t ecdsa   $ ssh-keygen -t ecdsa
Line 25: Line 25:
   +----[SHA256]-----+   +----[SHA256]-----+
  
-For both question about passphrase, just hit enter (we will not be using passphrases). This will also have generated two files in your personal .ssh directory:+For both questions about passphrase, just could hit enter (in that case we will not be using passphrases). Security wise it is better though you do fill in a passphrase. This will have generated two files in your personal .ssh directory:
  
   $ ls -ltr id_ecdsa*   $ ls -ltr id_ecdsa*
Line 31: Line 31:
   -rw-r--r-- 1 testuser1 users 195 Mar 22 12:13 id_ecdsa.pub   -rw-r--r-- 1 testuser1 users 195 Mar 22 12:13 id_ecdsa.pub
  
-The file id_rsa.pub must be transferred to the remote hostFor this we can use ssh-copy-id:+The file ''id_ecdsa'' (without ''.pub'') is the **private key**You will have to keep this file private, ieno one should have access to it (so don't copy it on removable media, share it with anyone, leave it in any unprotected place, etc). __**Treat it as an actual key**__; anyone with access to this private key, has access to your account, as if you had handed over your house key to others.
  
-  $ ssh-copy-id -i ~/.ssh/id_edcsa.pub username@remote-host+The file ''id_ecdsa.pub'' is the "public" part of the key-pair. It's something similar to the key-hole in your front door: anyone is allowed to see the key-hole, but only the person who has the private key (you!) can use that key to open it. \\ 
 +So, the file ''id_ecdsa.pub'' must be transferred to the remote host. For this we can use ssh-copy-id: 
 + 
 +  $ ssh-copy-id -i ~/.ssh/id_ecdsa.pub username@remote-host
  
 This may produce the following message: This may produce the following message:
  
-  /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/username/.ssh/id_edcsa.pub"+  /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/username/.ssh/id_ecdsa.pub"
   The authenticity of host 'remote-host (123.123.123.123)' can't be established.   The authenticity of host 'remote-host (123.123.123.123)' can't be established.
   ECDSA key fingerprint is SHA256:tygMarTe3SOjTcY9HzldKThxQzsTeiYHg5JmjB2bxeg.   ECDSA key fingerprint is SHA256:tygMarTe3SOjTcY9HzldKThxQzsTeiYHg5JmjB2bxeg.
Line 47: Line 50:
   /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys   /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
   username@remote-host's password:   username@remote-host's password:
 +  One-time password (OATH) for `username`: 
  
-Type your password to actually start the file copy.+Type your password (and the 2FA passcode) to actually start the file copy.
  
   Number of key(s) added: 1   Number of key(s) added: 1
Line 54: Line 58:
   Now try logging into the machine, with:   "ssh 'username@remote-host'"   Now try logging into the machine, with:   "ssh 'username@remote-host'"
   and check to make sure that only the key(s) you wanted were added.   and check to make sure that only the key(s) you wanted were added.
 +
 +
 +The passwordless ssh login is now in place.
 +=====Alternative public key copy=====
 +
 +It may be that ssh-copy-id is not available with your version of OpenSSH. In that case you need to copy the information yourself. This can be done following the below procedure.
 +
 +It is possible to copy the public key directly to the remote host. The command below pipes the content of the public key through the ssh login to the remote host. On the remote host we first create the .ssh directory (if not there) and then append the public key content to the authorized_keys file, all in one command:
 +
 +  cat ~/.ssh/id_ecdsa.pub | ssh username@remote-host "mkdir -p ~/.ssh && chmod 700 ~/.ssh && cat >>  ~/.ssh/authorized_keys"
 +
 +where username@remote-host can also me replaced by the logical name you have defined while configuring the ssh.
 +
 +After successful execution of above command you can login to remote-host without specifying a password. 
services/2fa/ssh/linux.1616411887.txt.gz · Last modified: by deul

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki