In Linux and most other Linux distributions you can use ssh key pairs to easily remote into other systems and run scripts remotely. This is extremely useful when managing multiple Linux hosts and if you wish to gather reports from one central source.
What are SSH Key Pairs?
SSH key pairs are two cryptographically secure keys that can be used to authenticate a client to an SSH server. Each key pair consists of a public key and a private key.
The private key is retained by the client and should be kept absolutely secret. Any compromise of the private key will allow the attacker to log into servers that are configured with the associated public key without additional authentication. As an additional precaution, the key can be encrypted on disk with a passphrase.
The associated public key can be shared freely without any negative consequences. The public key can be used to encrypt messages that only the private key can decrypt. This property is employed as a way of authenticating using the key pair.
The public key is uploaded to a remote server that you want to be able to log into with SSH. The key is added to a special file within the user account you will be logging into called ~/.ssh/authorized_keys.
When a client attempts to authenticate using SSH keys, the server can test the client on whether they are in possession of the private key. If the client can prove that it owns the private key, a shell session is spawned or the requested command is executed.
These 3-steps are how to create ssh key pairs in Linux:
- Create your ssh key pairs on the client server you wish to connect from.
- Copy your public key onto the host you wish to connect to.
- Load your ssh key on the client server your connecting from.
An overview of the flow is shown in this diagram:
The diagram shows a laptop connecting to a server, but it could just as easily be one server connecting to another server.
- private key (id_rsa) – this is the master key that sits on your client your connecting from.
- public key (id_rsa.pub) – like a door lock sits on the servers you want to connect to
Detailed Steps on how to create ssh keys in Lunix
This contains details steps on how to create your ssh key pairs and load them onto your servers.
Setting up SSH Keys (public and private key)
Just a quick summary on how to use the ssh-agent so we can use ssh keys which are password protected.
[CLIENT “Main client your connecting from, holds the private key (id_rsa)”]
Under your local account, create your SSH key pair , by default it will create under your home directory a .ssh directory (hidden folder)
First run ssh-keygen
Within this directory after running the command ssh-keygen , you will find your SSH key pair
[SERVER “Server you want to connect to, holds the public key (id_rsa.pub)”]
We use a useful copy feature to push the keys onto the server we want to connect to, but we need to create the hidden .ssh folder in our home directory.
Create a .ssh directory under your home directory , make sure the permission are set to 700:
Repeat for each server you want to connect to.
[CLIENT “Main client your connecting from”]
Logon as yourself.
Copy the id_rsa.pub (the public key to the host you want to connect to)
You will be prompted for your password on the remote host, and then it will push the key to your ~/.ssh directory and set up everything – saves a LOT of hassles instead of manually copying the file to the client!
Making it all work
[CLIENT “Main client your connecting from”]
Passphrase Log onto server
So now it is all configured and pushed onto each client you wish to connect to, you logon as yourself on the client.
ssh to the server you want to connect to:
Passphrase auto Log onto server
Now we have this key loaded on many hosts and we don’t want to put in the password all the time.
To get around this , preload the the ssh-agent on the primary host and load the private key.
It will ask for the key password but as long as you run commands from this ssh session it will automatically provide the passwords to the remote hosts.
Let me show you
Load ssh-agent shell
Now you should not need the password again when connecting to the remote host:
You see it used the password kept by the ssh-agent.
Running remote commands
Now you can use key pair to run commands on the other side.
I have written a script that loops a bunch of servers IPs defined in hostlist.txt to run a simple hostname command in this script:
Script to gather hostname list and ensure that all the remote systems are connecting from the defined list:
Run the script and you should see all 5 servers defined in hostlist.txt match the connect output in ssh-testrun:
You can see that creating ssh keys can be a powerful tool to easily connect to remote systems and also run remote health checks and gather data.