====== ssh authentification ======

Generate ssh keys to access remote hosts via ssh. Use //one// key pair //for each//
host/remote host pair (and user) **or** one key pair for each host.

===== ssh-keygen =====

Generate a key pair (public and private key), using ''ssh-keygen(1)''.

To identify each (public) key (e.g. to revoke access), the (public) key must
contain the following information:

  * The algorithm used to generate the key
  * The host the key is used for (your workstation, must be the fqdn!)
  * The remote host the key is used for connecting to (must be the fqdn!)
  * The user of the key (full name and email address)

The following command generates such a key, using a secure algorithm:
<code bash>
ssh-keygen -t ed25519 -o -a 100 \
    -f "$HOME/.ssh/id_ed25519_$(hostname --fqdn)_{remote-fqdn}" \
    -C "Max Maintainer <maintainer@rkcsd.com> $USER@$(hostname --fqdn)"
</code>

Alternativly, if preferred, you may use one key for each host. For such keys
include your email address instead of the local host fqdn in the keys' file
name.

<code bash>
ssh-keygen -t ed25519 -o -a 100 \
    -f "$HOME/.ssh/id_ed25519_maintainer@rkcsd.com_{remote-fqdn}" \
    -C "Max Maintainer <maintainer@rkcsd.com>"
</code>

Don't forget to provide a strong passphrase! Do //NOT// use a blank passphrase!

===== ssh-copy-id =====

If you have intermediate access to the remote host, you can upload your id
safely, using ''ssh-copy-id(1)''.

If you do not have access give the //public// key to a admin of the remote
host.

Authenticate with a passphrase:
<code bash>
ssh-copy-id -f -i {id-file.pub} {destination}
</code>

Authenticate with another identify file:
<code bash>
ssh-copy-id -f -i {id-file.pub} -o "IdentityFile {id-already-authorized}" {destination}
</code>

===== ssh_config =====

It is recommended to create an entry per remote host in your ''ssh_config(5)''. Open
''~/.ssh/config'' in your favorite editor and create the following block:

<code sshconfig>
Host {remote-alias}
    Hostname {remote-host}
    User {remote-ssh-user}
    Port {remote-ssh-port}
    PreferredAuthentications publickey
    #IdentityFile ~/.ssh/id_ed25519_maintainer@rkcsd.com_{remote-fqdn}.pub
    IdentityFile ~/.ssh/id_ed25519_%l_{remote-fqdn}.pub
</code>

The ''%l'' is substituted with your host's fqdn. This enables you to use this
configuration at multiple hosts, when using a seperate key on each.

You then can connect with the alias (and let ''ssh-agent(1)'' and DE friends
manage unlocking the keys; to unlock a key manually use ''ssh-add(1)'').

<code bash>
ssh {remote-alias}
</code>

The defined host alias works for any ssh command (e.g. ''scp(1)'')!

To still be able to login to other hosts with a password, add this rule
**after** all other rules in your ''ssh_config''.

<code sshconfig>
Host *
    IdentitiesOnly yes
    PreferredAuthentications password
</code>

===== Good stuff =====

  * [[https://stribika.github.io/2015/01/04/secure-secure-shell.html]]
  * [[https://www.youtube.com/watch?v=qvdlLTyUJ5I]]