SSH keys and SSH agent in OS X
If you’re like me and connecting to many servers over SSH, you soon realise it’s very tedious to remember and enter the passwords every time. One way to avoid this it to just remove the passwords, but that’s very unlikely something you would want to do. Another safe solution is to use SSH keys. This requires you to only remember one password for all your servers.
Commands only (details below)
ssh-keygen -t dsa # generate keys
# enter pass phrase
ssh peter@neverland # login to server like normal
# enter password
mkdir -p .ssh # generate .ssh dir
exit # log off server
scp ~/.ssh/id_dsa.pub peter@neverland:~/.ssh/authorized_keys2
# load key onto server
# enter password
mate ~/.ssh/config
# Host neverland
# User peter
# #Port 22
mate ~/.bash_login
# alias neverland="ssh neverland"
source ~/.bash_login
nev⇥ # log in on server
# possibly enter pass phrase in dialog once
Setting up SSH keys
To use SSH keys you first got to generate keys on your local machine. This is done very easily with:
ssh-keygen -t dsa
# enter passphrase
This will generate two keys in ~/.ssh/, named id_dsa and id_dsa.pub. The id_dsa is your private key and it should never be shared with anyone. id_dsa.pub is your public key and it’s this file you distribute to all the servers.
DO NOT USE AN EMPTY PASSPHRASE, THIS DEFEATS A LOT OF THE PURPOSE
Right, now that your keys are generated it’s time to spread them onto our servers. In the examples I’ll use “peter” as user name for the server and “neverland” as host, but you substitute these with your own user name and host name.
First we need to log on to our server and make sure the .ssh/ directory exists in our home directory.
ssh peter@neverland
# enter password
mkdir -p .ssh
exit
Now we copy the public keys to the server by using this scp:
scp ~/.ssh/id_dsa.pub peter@neverland:~/.ssh/authorized_keys2
# enter password
That’s it, you’re ready to use keys:
ssh peter@neverland
# NO PASSWORD REQUIRED - we get straight in
Now that’s a lie you probably don’t get straight in. First OS X will ask you for the password. It’s important that you note this is the pass phrase you generated for the keys, not the normal password.
SSH agent
Now at first you think we haven’t gotten very far. Alright, so you only have to remember one pass phrase, but you still got to type that when you connect. The beauty with Leopard though, is that it’s initiating ssh agent automatically, and hence you only have to enter you pass phrase once per session on your computer. That means the next time you try to connect to any server using the keys you just created, you wont have to type the pass phrase. Now it’s a pretty big difference between entering a password every time you connect to a server and only enter your pass phrase once (first connection) after you restart your computer. (ssh agent livs across hibernations)
Extra tips & tricks
Setup your ssh config
Use your favourite editor to edit ~/.ssh/config. This might be an empty file, but that’s fine. Add this:
Host neverland
User peter
# Port 22
The port part is redundant as 22 is default SSH port, but this is great to add if the port is something other than 22. After doing this, it should suffice to just type this command to get logged in:
ssh neverland
To change your SSH config is also the only way I know of to get svn+ssh:// to work if your local user name differs from the one used on the server. Every application or protocol that uses SSH will use these settings.
Aliases
Another good thing to setup are aliases for host names, this particularly goes if the host name is long and/or difficult. Setting up aliases are really easy. Fire up your favourite editor to edit ~/.bash_login. Add this at the end of the file:
alias neverland="ssh neverland"
Save and close the file, then type the following command to load the new settings:
source ~/.bash_login
Now it should suffice to type this command to get logged in and ready on your server:
neverland
It will even be autocompleted like commands and files (nev⇥).
Pretty cool, eh?