SocSci Computing Services Help Pages

User Tools

Site Tools

Trace: xerox_print_mac_2017 sshkey offcampus_web_access xerox_print_win crashplan
howto:sshkey

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
howto:sshkey [2025/05/12 21:51] – [Ubuntu] justip6howto:sshkey [2025/07/22 17:42] (current) – [Ask for help from SSCS] jnilsson
Line 1: Line 1:
-===== Setting up Passwordless SSH-key===== +====== Setting up Passwordless SSH-key====== 
-==== Ubuntu ====+===== Generating keys =====
 === ssh-keygen === === ssh-keygen ===
-You use the tool "ssh-keygen" to create your public-private key pair.  Depending on what you need to do, there are many options available.  +You use the tool "**ssh-keygen**" to create your public-private key pair. Here is an example session showing how you can run ssh-keygen:
 <code bash> <code bash>
 [user@host ~]$ ssh-keygen -t ed25519 -C "Add a Description to easily tell which machine this belongs to" [user@host ~]$ ssh-keygen -t ed25519 -C "Add a Description to easily tell which machine this belongs to"
Line 10: Line 10:
 Enter same passphrase: [Enter to leave empty] Enter same passphrase: [Enter to leave empty]
 </code> </code>
-You should leave the default values above by simply hitting Enter three times.  The private key is created in id_ed25519 and the matching public key is id_ed25519.pub. The id_ed25519 file name is what ssh will look for when attempting public-key authentication (unless specified differently in the /etc/ssh/ssh_config in the IdentityFile variable.+You should leave the default values above by simply hitting **Enter** three times.  The private key is created in id_ed25519 and the matching public key is id_ed25519.pub. The id_ed25519 file name is what ssh will look for when attempting public-key authentication (unless specified differently using the IdentityFile variable in the global config file /etc/ssh/ssh_config or your local config file ~/.ssh/config).
  
-=== Distributing your public key === +===== Distributing your public key ===== 
-The *.pub file needs to be appended to the ~/.ssh/authorized_keys file to be recognized by ssh.  This should be done on any remote hosts you wish to connect to using public-key authorization.  Be sure each key starts on its own new line, since many users may need to connect to the machine and all be able to add their public keys to the authorized_keys file. The code below should do it+The *.pub file needs to be appended to the ~/.ssh/authorized_keys file to be recognized by ssh.  This should be done on any remote hosts you wish to connect to using public-key authorization. Each key in this file needs to be added on its own line and the file needs to have specific permissions and ownership in order to be recognized: 
-<code bash>+  * owner: the user whose home directory it resides in 
 +  * permissions: 0600, writable by the owner and no one else 
 + 
 +There are different ways to distribute and set up the authorized_keys file depending on your situation: 
 + 
 +==== Ask for help from SSCS ==== 
 + 
 +You can always ask for help from [[socit@uci.edu]] and we'll work with you to get your public key set up. 
 + 
 +If you want to DIY, you can try one of the methods below: 
 + 
 +==== Local Console Access ==== 
 +If you have access to the console of the remote host (i.e. you can physically access the console in-person), then you can set up the authorized_keys file like this (note that this does not require admin/sudo privileges): 
 +  - Generate your SSH key on your computer that you will use to access the remote host using ssh-keygen as described above 
 +  - Save the .pub key file either in email to yourself or on a USB drive 
 +  - On the local console of the remote host, login as your user account: 
 +    - Copy the contents of the new public key (either from email or a USB drive) to a temp file:<code bash> 
 +TMP_NEWKEY_FILE=/tmp/newkey.pub 
 +echo "ssh-ed25519 AAAAasdfghjklQWERTYPOIUzxcvbnm/00/PLokIJuhYG12345 this is a comment" > $TMP_NEWKEY_FILE 
 +</code> 
 +    - Set up your ~/.ssh directory and authorized_keys file with correct permissions. This is safe to do even if they already exist and will not erase or overwrite existing keys:<code bash> 
 +mkdir -p ~/.ssh 
 +touch ~/.ssh/authorized_keys 
 +chmod 700 ~/.ssh 
 +chmod 600 ~/.ssh/authorized_keys 
 +</code> 
 +    - Append your new public key:<code bash
 +cat $TMP_NEWKEY_FILE >> ~/.ssh/authorized)_keys 
 +</code> 
 +    - Delete the temp file:<code bash> 
 +rm $TMP_NEWKEY_FILE 
 +</code> 
 + 
 +==== Password authentication is enabled on the remote host ==== 
 +If you can log in to the remote host using a password, then you can use the command **ssh-copy-id** to set up your public key. Here is an example session showing how ssh-copy-id works: 
 +<file> 
 +[user@localhost ~]$ ssh-copy-id user@remotehost 
 +/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/Users/username/.ssh/id_ed25519.pub" 
 +/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed 
 +/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys 
 +user@remotehosts's password:  
 + 
 +Number of key(s) added:        1 
 + 
 +Now try logging into the machine, with: "ssh 'user@remotehost'" 
 +and check to make sure that only the key(s) you wanted were added. 
 + 
 +</file> 
 + 
 +If ssh-copy-id does not work or is not available, then you can manually accomplish the same steps like this: 
 +<file>
 # Your pub key's filename may differ depending on whether it was ed25519 (id_ed25519.pub), rsa (id_rsa.pub) or dsa (id_dsa.pub) # Your pub key's filename may differ depending on whether it was ed25519 (id_ed25519.pub), rsa (id_rsa.pub) or dsa (id_dsa.pub)
 [user@localhost ~]$ scp ~/.ssh/id_ed25519.pub user@remotehost:/home/user/.ssh/my_id.pub [user@localhost ~]$ scp ~/.ssh/id_ed25519.pub user@remotehost:/home/user/.ssh/my_id.pub
Line 20: Line 70:
 [user@localhost ~]$ ssh user@remotehost [user@localhost ~]$ ssh user@remotehost
 Enter Password Enter Password
-# That's the last time you'll be entering your password! 
 [user@remotehost ~]$ cd .ssh [user@remotehost ~]$ cd .ssh
 [user@remotehost .ssh]$ cat my_id.pub >> authorized_keys [user@remotehost .ssh]$ cat my_id.pub >> authorized_keys
 +[user@remotehost .ssh]$ chmod 600 authorized_keys
 [user@remotehost .ssh]$ rm my_id.pub [user@remotehost .ssh]$ rm my_id.pub
 +</file>
 +==== Password authentication is disabled on the remote host ====
 +
 +If password authentication is already disabled, then you will have to give your public key file to someone with admin access who already has public key authentication set up, or follow the above instructions for local console access to set it up yourself.
 +
 +If you have admin access and have been asked to add someone else's public key to their user account, the following example code should guide you on the steps to take. This assumes that they have somehow given you their public key and it is stored in a file called /tmp/newkey.pub and their username is "example". Modify these variables appropriately to meet your needs:
 +<code bash>
 +USERNAME=example
 +TMP_PUBKEY_FILE="/tmp/newkey.pub"
 +USER_HOME=$(eval echo "~$USERNAME")
 +AUTHKEY_FILE="$USER_HOME/.ssh/authorized_keys"
 +
 +# Ensure .ssh exists
 +sudo mkdir -p "$USER_HOME/.ssh"
 +sudo touch "$AUTHKEY_FILE"
 +
 +# Append key if not already present
 +if ! sudo grep -Fxq -f "$TMP_PUBKEY_FILE" "$AUTHKEY_FILE"; then
 +  cat "$TMP_PUBKEY_FILE" | sudo tee -a "$AUTHKEY_FILE" > /dev/null
 +fi
 +
 +# Set permissions
 +sudo chmod 700 "$USER_HOME/.ssh"
 +sudo chmod 600 "$AUTHKEY_FILE"
 +sudo chown -R "$USERNAME" "$USER_HOME/.ssh"
 +
 +# Clean up temp file
 +rm -f "$TMP_PUBKEY_FILE"
 </code> </code>
howto/sshkey.1747086677.txt.gz · Last modified: 2025/05/12 21:51 by justip6