Operations on SSH Keys

This post is sort of an amalgamation of solutions I’ve found on several blogs, tutorials, and SO posts I’ve used regarding SSH keys. I cover key generation and authentication, removing passwords from keys, and identifying the key finger print.

Steps for Key Generation

From the Hortonworks SSH Key tutorial, you will create a pair of private and public on the host you will connect from,

ssh-keygen -t rsa -P '' -f ~/.ssh/id_rsa

Then you will copy the public key id_rsa.pub to every remote host you will connect to,

scp ~/.ssh/id_rsa.pub user@host:~/.ssh/id_rsa.pub

In the above line, host may be an IP address, or a host name. If you need to specify a port other than 22, remember that scp and ssh use different flags for the port; ssh uses a lowercase -p, while scp uses an uppercase -P. (Port 22 will be fine for most applications.)

Next, you will use the cat utility to add your public key to the list of authorized keys on the remote host,

cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

Finally, sign out of the remote host using the exit command, and test what you did,

ssh -i ~/.ssh/id_rsa host

Again, host is either a hostname, or an IP address. This should sign you into the remote host without you providing your password. If you are asked for your password, you may need to change the permissions on the local and remote ~/.ssh/ directories to 755, 700, 600, or 400 depending on your environment, most likely it will be 755 or 700. You can check the permissions of your `~/.ssh/ directories by calling,

ls -alh ~/.ssh/

And you can change permissions using the chmod utility,

chmod 755 ~/.ssh/

It’s a good practice to keep your keys in the ~/.ssh/ directory; if you put them somewhere creative you’ll probably lose them.

Removing Passwords from Keys

You may find yourself in the situation where some SSH keys are locked with a password, so writing

ssh -i ~/.ssh/id_rsa

in a script now prompts you for the key password instead of the remote host password, which doesn’t save you any time at all. According to the discussion on this SO post, you can remove the password as follows,

  1. Call ssh-keygen -p from the terminal
  2. This will prompt you for the old password, provide it
  3. Next, instead of entering a new password, just hit enter

This will remove the password protecting your key file.

Inspect Key Fingerprint

So, a sort of new feature is the possibility of looking at a visual randomart representation of the fingerprint/thumbprint of your keys. This allows you to do a quick check to see if the id_rsa.pub key on a particular server is your public key.

ssh-keygen -vlf ~/.ssh/id_rsa.pub
The key fingerprint is:
4a:dd:0a:c6:35:4e:3f:ed:27:38:8c:74:44:4d:93:67 demo@a
The key's randomart image is:
+--[ RSA 2048]----+
|       o=.       |
|    o  o++E      |
|   + . Ooo.      |
|    + O B..      |
|     = *S.       |
|      o          |
|                 |
|                 |
|                 |