User Tools

Site Tools


Notes on ssh key pairs

Generate key pair

Quite generally, you should have ONE personal cryptographic key pair for various work-related purposes. It normally resides in directory .ssh, and has the names

~/.ssh/id_rsa     # private key
~/.ssh/id_rsa.pub # public key

If this is not the case, then do the following (using your mail address):

$ mkdir ~/.ssh
$ ssh-keygen -C "e.mustermann@fz-juelich.de"

When prompted for a passphrase, please choose a strong one

On success, directory .ssh will be populated with aforesaid files.

Never communicate the private key to anybody else. You may however share it between different accounts you own personally. In this case, you should maintain identical contents in the .ssh directories, and copy id_rsa.pub to a file authorized_keys to allow mutual login.

Use ssh-add to authenticate once per session

Before using ssh, execute the command

$ ssh-add

It will prompt for passphrase, and keep you authenticated until you log out.

The daemon ssh-agent can store the authentication across sessions. On self-administered systems, install package keychain. On CentOS-6, it is integrated in the window manager (pop-up window “Unlock private key”). On CentOS-5, you could install a script.

Password-free access to group accounts

Password-less login to a group account must be asymmetric: from your personal account, you will have simplified access to a group account, not the other way round.

Under the group account, create a directory .ssh. Do not generate a key pair. Remote copy

file .ssh/id_rsa.pub from your private account
to file .ssh/authorized_keys on the group account.

If your colleagues were faster, then that file already exists. In this case, you have to append your id_rsa.pub:

$ cd .ssh
$ scp your_account@your_computer:.ssh/id_rsa.pub .
$ mv authorized_keys tmp
$ cat tmp id_rsa.pub > authorized_keys
$ rm tmp id_rsa.pub

That's it. Now you will be able to access the group account from your private account without need to enter a password for each single login (ssh), remote command (ssh with command argument), copy (scp), and synchronization (rsync, unison).