SSH tunnels with keys

SSH (Secure Shell) allows simple establishment of encrypted and authenticated connection between computers. In this article i will focus on establish SSH tunnels without using a password by using asynchronous key pair. This approach is especially in machine to machine communication.

The key ip very simple: The idea of asymmetric cryptography is to have private and public keys. You can share1 your public key with domains which should be able identify you.
So therefore let's start by generation a needed key-pair.

Generating Keys

Even if key authentication has many advantages over the authentication with passwords, it has one drawback: we have to type the passphrase every time.

There are several different approaches how to deal with that. An this problem is a typical example of a trade-off between security and convenience.

I will not preach security dogmas here, because i trust you as engineer. You can better judge about your use cases and identify risk and effort by yourself. So i will not going to tell you to use ssh keys only whit passphrases and with dealing with ssh-agent, when you need it only for test environment in a trustful domain and where anyway everyone has access to machines and work as root and maybe much more security rules are relaxed- but you aware of it and the risk.

Empty passphrase (convenient)

This method is very convenient, because it' allows to use the key "as is" in headless scenario.

Just execute the following and do not enter any pass-phrase (just hit enter on question).

$ ssh-keygen -t rsa

RSA2 key-pair as following files in ~/.ssh directory:

  • id_rsa
  • id_rsa.pub

Now public key need to be copied to remote host and has to be added to end of ~/.ssh/authorized_keys file.

Passphrase used + ssh-agent

Providing a passphrase increase security. But you well be prompted for passphrase everytime.
Here ssh-agent comes to play, its a small daemon running in background caches our passphrases in the memory and then they are automatically used when we make the connection to the SSH server.

There are many different ways how to start the agent. E.g.

eval `ssh-agent`  

in ~/.bash_profile will start agent every time on login for user. In that scenario you only need to enter the passphrase once after start of the ssh-agent. But this is still not useful for headless scenarios.

While it might seem like a straightforward idea to pass the passphrase to ssh-add from a script e.g.

echo "passphrase\n" | ssh-add  

But is not as straighforward as it seems, because ssh-add does not read the passphrase from stdin, but opens /dev/tty directly for reading.
This can be worked around with expect, a tool for automating interactive applications.

Transfer Public keys

The best way to do it is to use ssh-copy-id program which is inside of many linux distributions.

ssh-copy-id -i ~/.ssh/id_rsa.pub remote-user@remote-server.org  

In that case everything is done automatically and you are ready after that. But if ssh-copy-id is not available, you can copy keys manually e.g. like that.

cat ~/.ssh/*.pub | ssh remote-user@remote-server.org 'umask 077; cat >> .ssh/authorized_keys'  

Test

Now remote login, scp and sftp can be used without password.
Test it:

# establish connection
$ ssh remote-user@remote-server.org
#or copy files secure and password-less.
$ scp /home/user/some-file remote-user@remote-server.org:/some-path/dir/

Have fun. Ask questions.
P.S. On some linux distrs SSH2 searches for keys in ~/.ssh/authorized_keys2. Not so in actual Debian (Lenny), but seems to be so in SuSe linux.

  1. Key distribution is a different topic.

  2. RSA is one of the first practical public-key cryptosystems and is widely used for secure data transmission