SSH host-keys can be a convenience, or can (potentially) increase security. Assuming it never becomes easy to directly defeat the encryption used by SSH, someone would need to know your username/password. With host-keys, they would also (likely) need to have a specific file. In the more convenient case, you can also choose to have no password and instead rely on access to the file for security. This article is targeted towards the latter.
There are a handful of steps needed to set up the host-keys. The info can be found elsewhere on the net, I’m mainly posting it here so I can find it quicker.
Step 1: Set Up Remote
By “Remote” I mean the computer that you are connecting to. “Local” will refer to the computer you are connecting from. The first step is to create the host-keys:
user > ssh-keygen -t rsa -b 2048 user > cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
The first command generates a public and a private key. This is from asymmetric cryptography, which uses a different key for encryption and decryption.
Step 2: Set Up the Local
Now, on the local computer (the one that you are connecting from), you will need to get the private key, and save it in a specific location. There are two options here — you can have a single public/private key pair, or a different key per host. If you don’t use a password, it doesn’t really matter — anyone who can ssh into one computer would be able to get to the other private keys without issue.
user > mkdir -p ~/.ssh/pk/ user > scp my_user@my_host:~/.ssh/id_rsa ~/.ssh/pk/my_host user > chmod 600 ~/.ssh/pk/*
The first step is to get the file. Make a directory called ~/.ssh/pk on your local computer. Next, scp the private key to the local computer. In the above, “my_user” is the remote user name, and “my_host” is the remote’s hostname. The file should be named the same as the remote’s hostname. It is best to prevent everyone with access to the computer to have access to the private key, so set the permissions to 600 (user access only).
# ~/.ssh/config IdentityFile ~/.ssh/pk/%h # %r = remote user name # %h = hostname
Now you can edit the ~/.ssh/config. This allows ssh to know which private key to use. This example will look for a key that matches ~/.ssh/pk/my_host.
Step 3, Test
Now, all you need to do is:
user > ssh my_user@my_host
And if this fails, google for the answer. Not all ssh configurations are the same. If something doesn’t work, you probably have such a config. Otherwise, you made a mistake with the above, eg using “authorized_hosts” instead of “authorized_keys”. Likewise, if you do decide against a password, realize that anyone with access to the keys will have access to your computers (especially if they are accessible from the internet). This ideally means you won’t send them via un-encrypted email, ftp, etc… Finally, keep in mind that you don’t have to allow root to login via ssh at all. You can allow a user to login with a private key, but still require a password to become root.