More Linux Remote Networking Tips and Tricks (part 2)
Setting It Up
Last week we looked at some good ways to use OpenSSH and SSHFS for easy file sharing on the LAN. Today we're going to review how to use encryption keys instead of password logins. Using key pairs is less flexible but more secure because it's like using a key lock instead of a combination lock. There is no way to brute-force a password, you don't have to give away system passwords, and only users who possess the key can get in.
Other Stories on LinuxPlanet
With OpenSSH the machine you are logging into is always the server, because the OpenSSH daemon needs to be running and listening for connection attempts. The PC you are logging in from is the client. Again, like in Part 1, this is for LANs only because remote access over the Internet is more complicated to set up. We'll do that next in Part 3.
Creating a Named Key Pair
You can use an existing key or create a new pair. Don't give the new key pair a passphrase, and never ever share your private key-- guard it just like you would a physical key. Replace "remotepc" with your own hostnames or IP addresses. I like to give them helpful names, like this:
$ ssh-keygen -t rsa -f id_remotepc
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in id_remotepc.
Your public key has been saved in id_remotepc.pub.
The key fingerprint is:
The key's randomart image is:
+--[ RSA 2048]----+
| .o |
| . .. .|
| o oo.|
| . . = ++..|
| S . *+Eoo|
| . Ooo.|
| o |
The private key is id_remotepc, and the public key is id_remotepc.pub. Now copy the public key to authorized remote PCs with the ssh-copy-id command. You don't have to specify the public key because ssh-copy-id automatically makes sure that the correct key is copied in the correct format:
$ ssh-copy-id -i /home/carla/.ssh/id_remotepc alrac@remotepc
Now try logging into the machine, with "ssh 'alrac@remotepc'", and check in:
to make sure we haven't added extra keys that you weren't expecting.
Sponsored by BlackBerry
BlackBerry® Enterprise Server Express enables businesses of any size to quickly and easily get started with the BlackBerry solution. It provides advanced BlackBerry smartphone features with no additional software or user license fees, and works with any Internet-enabled BlackBerry data plan or a BlackBerry enterprise data plan. Download now!