{"id":254,"date":"2014-09-18T15:25:26","date_gmt":"2014-09-18T15:25:26","guid":{"rendered":"http:\/\/localhost:8000\/?p=254"},"modified":"2025-09-07T13:48:18","modified_gmt":"2025-09-07T13:48:18","slug":"novice-example-public-key-access","status":"publish","type":"post","link":"https:\/\/blog.gwadej.org\/programmer-musings\/2014\/09\/novice-example-public-key-access\/","title":{"rendered":"Novice Example: Public Key Access"},"content":{"rendered":"<p>In the last <a target=\"_blank\" rel=\"noopener\" href=\"\/programmer_musings\/2014\/01\/novice-example-remote-file-copy-better-problem-breakdown\/\">post<\/a>, we had begun streamlining novice Ned&#8217;s problem. Our current solution has some problems. The most annoying is the need to type a password for each server that we are going to write to.<\/p>\n<h2 class=\"subhead\">High-level Description<\/h2>\n<p>We are using <code>scp<\/code> to do the copy, so the login is controlled by the <acronym title=\"Secure SHell\">SSH<\/acronym> system. SSH supports using public keys to log in to a system. Ned will need to check with the appropriate people to be sure there is no policy preventing using public keys for access. This process requires several steps.<\/p>\n<ul>\n<li>Create a public\/private key pair on your local system.<\/li>\n<li>Copy the public key to the remote system&#8217;s <code>authorized_keys<\/code> file.<\/li>\n<li>Verify and correct file permissions.<\/li>\n<\/ul>\n<p>Before accessing the remote machines, you will need to execute <code>ssh-agent<\/code> and add your key to the agent. Now, every attempt to access a remote host will attempt to use your key to log you in.<\/p>\n<h2 class=\"subhead\">Creating a Key<\/h2>\n<p>You generate keys for SSH using the program <code>ssh-keygen<\/code>. You may want to check with your sysadmins or security group to learn if there is any company standard for keys, otherwise just running the command will pick reasonable defaults. Make certain to provide a good passphrase when asked. Anyone with this passphrase can use your key to impersonate you on any system that you can log into.<\/p>\n<p>The <code>ssh-keygen<\/code> program should generate a pair of files in the <code>.ssh<\/code> directory under your home directory. One of those files will have a <code>.pub<\/code> extension. That is the public key. The same filename without the extension is your private key. You should make certain that the private key stays on your machine and that you don&#8217;t give it to anyone.<\/p>\n<p>You should make certain that the directory and any files in it are only readable and writable by you.<\/p>\n<h2 class=\"subhead\">Using ssh-agent<\/h2>\n<p>Depending on the how your current machine is set up, <code>ssh-agent<\/code> may or may not already be running.<br \/>\nIf it&#8217;s already running, you can skip to the next step. If you need to run ssh-agent, you still need to do a bit more. The ssh-agent program sets some environment variables needed to do its job. The easiest way to get it set up is to execute:<\/p>\n<pre><code>\neval `ssh-agent`\n<\/code><\/pre>\n<p>This adds the correct variables to the current shell instance.<\/p>\n<h2 class=\"subhead\">Adding Keys<\/h2>\n<p>You tell ssh-agent about the keys you want to manage with the <code>ssh-add<\/code> command. If you kept the default file name in _Creating a Key_ above, you can just execute <code>ssh-add<\/code>. If you changed the name, you will need to execute:<\/p>\n<pre><code>\nssh-add ~\/.ssh\/{private_key_name}\n<\/code><\/pre>\n<p>The ssh-add program will request your passphrase at this point to add the key to the agent. Afterwards (until the next time ssh-agent is restarted), ssh will get the keys from ssh-agent without asking for your passphrase.<\/p>\n<h2 class=\"subhead\">Authorized Keys<\/h2>\n<p>In order to use the public key login, you need to add your public key to the <code>.ssh\/authorized_keys<\/code> file on the remote machine. The simplest approach for this is<\/p>\n<pre><code>\nssh-copy-id -i ~\/.ssh\/{private_key_name} user@remote_machine\n<\/code><\/pre>\n<p>If your system does not have <code>ssh-copy-id<\/code> script, you will need to modify the authorized_keys file on the remote server. Instructions for that are available in <a href=\"https:\/\/www.digitalocean.com\/community\/tutorials\/how-to-set-up-ssh-keys--2\">many<\/a> <a href=\"https:\/\/www.cs.utah.edu\/~bigler\/code\/sshkeys.html\">places<\/a> on-line.<\/p>\n<p>It&#8217;s probably a good idea to make certain that the .ssh directory and the authorized_keys file on the remote server are only readable and writable by the remote account.<\/p>\n<p>Attempt to SSH into the remote server and you&#8217;ll find that no password or passphrase is needed.<\/p>\n<h2 class=\"subhead\">Lather, Rinse, Repeat<\/h2>\n<p>Modify the authorized_keys as described above for each of the remote machines you need to access. Although it seems like a lot of work, this will be the last time you need to make this change for each of the remote servers.<\/p>\n<p>If a new server is added to your responsibility, add you key to the authorized_keys file for the new server and you are ready to go.<\/p>\n<h2 class=\"subhead\">Conclusion<\/h2>\n<p>When you are finished, you can run the script from the last <a target=\"_blank\" rel=\"noopener\" href=\"\/programmer_musings\/2014\/01\/novice-example-remote-file-copy-better-problem-breakdown\/\">post<\/a> and all of the scp commands automatically log in to the remote servers.<\/p>\n<p>There is more that could be done to improve the script from before, but that is left as an exercise to the reader (for now).<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In the last post, we had begun streamlining novice Ned&#8217;s problem. Our current solution has some problems. The most annoying is the need to type a password for each server that we are going to write to. High-level Description We are using scp to do the copy, so the login is controlled by the SSH\u2026 <span class=\"read-more\"><a href=\"https:\/\/blog.gwadej.org\/programmer-musings\/2014\/09\/novice-example-public-key-access\/\">Read More &raquo;<\/a><\/span><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[22],"tags":[106,226,257],"_links":{"self":[{"href":"https:\/\/blog.gwadej.org\/programmer-musings\/wp-json\/wp\/v2\/posts\/254"}],"collection":[{"href":"https:\/\/blog.gwadej.org\/programmer-musings\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.gwadej.org\/programmer-musings\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.gwadej.org\/programmer-musings\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.gwadej.org\/programmer-musings\/wp-json\/wp\/v2\/comments?post=254"}],"version-history":[{"count":1,"href":"https:\/\/blog.gwadej.org\/programmer-musings\/wp-json\/wp\/v2\/posts\/254\/revisions"}],"predecessor-version":[{"id":1367,"href":"https:\/\/blog.gwadej.org\/programmer-musings\/wp-json\/wp\/v2\/posts\/254\/revisions\/1367"}],"wp:attachment":[{"href":"https:\/\/blog.gwadej.org\/programmer-musings\/wp-json\/wp\/v2\/media?parent=254"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.gwadej.org\/programmer-musings\/wp-json\/wp\/v2\/categories?post=254"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.gwadej.org\/programmer-musings\/wp-json\/wp\/v2\/tags?post=254"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}