ssh host v client regarding keys

Karl Auer kauer at biplane.com.au
Mon Feb 16 06:28:10 UTC 2015


On Mon, 2015-02-16 at 05:13 +0000, thufir wrote:
> on the host, I created a key with  ssh-keygen -t rsa  but that's on the pc 
> which I'm connecting.  do I transfer that key to the client with ssh-copy 
> id ?  Or the other way around?

Host: The system you are connecting TO
Client: The system you are connecting FROM

Assuming cuser on the client wants lo log into the host as huser:

On the client, run ssh-keygen as cuser to create a ~cuser/.ssh and a new
key pair. Put the new key pair in ~cuser/.ssh (that's the default)
unless you know exactly what you are doing. If cuser already has a
suitable directory and key pair, skip this step.

On the host, run ssh-keygen as huser to create ~huser/.ssh and a new key
pair. Put the new key pair in ~huser/.ssh (that's the default) unless
you know exactly what you are doing. If huser already has a suitable
directory and key pair, skip this step. Otherwise, delete the generated
keys afterwards. You don't need them for logging in from the client.

Now copy the PUBLIC part of cuser's key (that's the file with the .pub
extension) from ~cuser/.ssh into ~huser/.ssh on the host.

In ~huser/.ssh on the host, append the newly copied public key
to .ssh/authorized_keys.

Finally, delete the public key from ~huser/.ssh 

That's it.

A couple of points though:
- DO NOT copy your private key to anywhere
- DO NOT create keys without passphrases
- make your passphrases very hard to guess
- authorized_keys should be world-readable
- authorized_keys should be writable only by the owner
- once you have publickey-protected access, consider
  turning off password-only access

There are lots of short-cuts and additional ways to do things, but for
the sake of obviousness, I've described it in clunky but simple steps.
Alternatively, while logged in as cuser on the client, do something like
this (untested, just to give you the idea). This requires you to enter
the huser password two or three times):

   cd
   ssh-keygen -t rsa -b 4096 [if cuser doesn't have keys]
   ssh huser at host ssh-keygen [if huser doesn't have .ssh]
   scp .ssh/id_rsa.pub huser at host:.ssh/cuser.pub
   ssh huser at host "cat .ssh/cuser.pub >> .ssh/authorized_keys ;
rm .ssh/cuser.pub"

Another alternative, if you have a terminal window open on both host and
client, is to display cuser's public key in the client window, edit
~huser/.ssh/authorized_keys in the host window, and just copy and paste
the key into authorized_keys.

Regards, K.

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Karl Auer (kauer at biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: 3C41 82BE A9E7 99A1 B931 5AE7 7638 0147 2C3C 2AC4
Old fingerprint: EC67 61E2 C2F6 EB55 884B E129 072B 0AF0 72AA 9882





More information about the ubuntu-users mailing list