Inhaltsverzeichnis

ssh authentification

Generate ssh keys to access remote hosts via ssh. Use one key pair for each host/remote host pair (and user) or one key pair for each host.

ssh-keygen

Generate a key pair (public and private key), using ssh-keygen(1).

To identify each (public) key (e.g. to revoke access), the (public) key must contain the following information:

The following command generates such a key, using a secure algorithm:

ssh-keygen -t ed25519 -o -a 100 \
    -f "$HOME/.ssh/id_ed25519_$(hostname --fqdn)_{remote-fqdn}" \
    -C "Max Maintainer <maintainer@rkcsd.com> $USER@$(hostname --fqdn)"

Alternativly, if preferred, you may use one key for each host. For such keys include your email address instead of the local host fqdn in the keys' file name.

ssh-keygen -t ed25519 -o -a 100 \
    -f "$HOME/.ssh/id_ed25519_maintainer@rkcsd.com_{remote-fqdn}" \
    -C "Max Maintainer <maintainer@rkcsd.com>"

Don't forget to provide a strong passphrase! Do NOT use a blank passphrase!

ssh-copy-id

If you have intermediate access to the remote host, you can upload your id safely, using ssh-copy-id(1).

If you do not have access give the public key to a admin of the remote host.

Authenticate with a passphrase:

ssh-copy-id -f -i {id-file.pub} {destination}

Authenticate with another identify file:

ssh-copy-id -f -i {id-file.pub} -o "IdentityFile {id-already-authorized}" {destination}

ssh_config

It is recommended to create an entry per remote host in your ssh_config(5). Open ~/.ssh/config in your favorite editor and create the following block:

Host {remote-alias}
    Hostname {remote-host}
    User {remote-ssh-user}
    Port {remote-ssh-port}
    PreferredAuthentications publickey
    #IdentityFile ~/.ssh/id_ed25519_maintainer@rkcsd.com_{remote-fqdn}.pub
    IdentityFile ~/.ssh/id_ed25519_%l_{remote-fqdn}.pub

The %l is substituted with your host's fqdn. This enables you to use this configuration at multiple hosts, when using a seperate key on each.

You then can connect with the alias (and let ssh-agent(1) and DE friends manage unlocking the keys; to unlock a key manually use ssh-add(1)).

ssh {remote-alias}

The defined host alias works for any ssh command (e.g. scp(1))!

To still be able to login to other hosts with a password, add this rule after all other rules in your ssh_config.

Host *
    IdentitiesOnly yes
    PreferredAuthentications password

Good stuff