wiki:faq/public-private-key-generation

Version 12 (modified by Jackrabbit, 6 years ago) (diff)

--

How can I login to my primary host server without having to enter my account's password?

Normally, when you login to our servers using either secure shell (a.k.a. ssh) or Secure FTP (a.k.a. sftp), you need to provide a username and the password for that username. Although this information is passed to our server in an encrypted form, it is still cumbersome to remember yet another password.

An alternative way to login to your server is to generate a public key and a private key (keys, in this sense, are simply small text files containing a lot of characters that appear random). When generating a public and private key, you will be asked to come up with a password to protect your private key. Then, copy your public key to the server. Once your public key is in place, you can secure shell or Secure FTP into the server without needing to enter your user's server password. Instead, you will be prompted for your private key password locally and if you provide the proper private key password, you will be allowed into your account.

Using this method - you could copy your public key to each remote account you use. Every time you login after that, you would only need to enter your private key password locally - and not need to remember all the other server passwords.

Generating your key

On Linux or Mac OS X

If you are using a Linux or Mac OS X computer, you can easily generate a private and public key by opening your terminal (on a Mac it is in Applications -> Utilities, on Linux computer look in your Accessories or Utilities menu). Here's an example of me generating my keys. You can do the same by simply typing the first line below:

ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/guest/.ssh/id_rsa): 
Created directory '/home/guest/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/guest/.ssh/id_rsa.
Your public key has been saved in /home/guest/.ssh/id_rsa.pub.
The key fingerprint is:
a2:83:b2:5d:f3:8c:e4:58:09:a1:96:77:0a:5b:b8:34 guest@liberace

On Windows

With windows, you can generate a key by downloading the PuTTYgen program. When generating a public/private key pair, PuTTYgen will save a public key file that is in the Putty format. This public key will not work on our servers. However, when your key is being generated (or is loaded) in the PuTTYgen program, there is a text field that says: Public key for pasting into OpenSSH authorized_keys2 file. Please copy and paste the contents of that text field into a file called id_rsa.pub.

Setting up your key for access to a server

On Linux or Mac OS X (using the command line)

Now that you have a public key, you will want to copy it to the server (or servers) on which you want to use it. With the following command replace USER with your username and SERVER with your server name, like malcolm.mayfirst.org:

scp .ssh/id_rsa.pub USER@SERVER:

Don't forget to include the colon after your server name or the command won't work. If you've executed the command correctly, you'll be prompted for your password and after entering it will see the progress for the file transfer.

Now, create a directory on the server on which you want to use your key and add your key to the authorized_keys file:

ssh USER@SERVER "mkdir .ssh; cat id_rsa.pub >> .ssh/authorized_keys"

After issuing that command you may see the following error message:

mkdir: cannot create directory `.ssh': File exists

That simply means that the .ssh directory already existed, which is a common setting for May First accounts. This shouldn't affect the functioning of your keys.

On Windows, Mac OS X or Linux (using a graphical program)

Using your favorite graphical Secure FTP program, login to your account, create a directory called .ssh (if it doesn't already exist), and upload your id_rsa.pub file to that directory. Once it has been uploaded, rename it: authorized_keys.

Accessing a server using your key

Currently on Mayfirst, you must wait 24 hours before your SSH key is functional. See this ticket for details. If you continue to have problems connecting and you are using linux, trying passing the -v option to get a verbose output which might indicate the error (e.g. ssh -v user@host).

Congratulations! Now, whenever you want to secure shell or secure FTP into your site, you will be prompted for your private key password rather than your server password. You can continue connecting as you always have, but you'll be prompted for the key instead of the remote password.

Further reading