Computing /

SSH Certificates

On this page... (hide)

  1.   1.  Certificates
    1.   1.1  Generate a public/private dsa key pair on machine A - on Linux or Os X:
    2.   1.2  On Windows, for PuTTY
    3.   1.3  Add the public key to the authorized_keys file on machine B (and/or C).
    4.   1.4  Helper script
  2.   2.  Certificates with passwords
  3.   3.  ssh, X11 and su

1.  Certificates

Cryptographic certificates help you to login from one machine to another without having to type passwords.

If you would like to connect from machine A (local) to machine B (remote) you must:

1.1  Generate a public/private dsa key pair on machine A - on Linux or Os X:

[user@machine_A ~] ssh-keygen -t dsa
  • Accept the default location and name (/home/dalton/.ssh/id_dsa).
  • Don't give a passphrase (because that will defeat the point of not needind to type passwords.)
    • Bear in mind that without a passphrase, anyone that gains access your account will also gain access to you account on the other servers that you have already distributed the key to.
    • But read the item below about ssh-agent, for enhanced security
  • There will be 2 files, id_dsa (keep contents secret) and id_dsa.pub.

1.2  On Windows, for PuTTY

1.3  Add the public key to the authorized_keys file on machine B (and/or C).

[user@machine_A ~] scp .ssh/id_dsa.pub machine_B:~/.ssh/new_key.pub
[user@machine_B ~] cat new_key.pub >> authorized_keys

1.4  Helper script

A script to help to copy the key, make directories, fix permissions: Attach:ssh_installkey

2.  Certificates with passwords

You can get the benefits of the certificates and retain the security of passwords if you generate a certificate with password, and then use ssh-agent. But this is not-trivial, so you should really read man ssh-agent.

3.  ssh, X11 and su

If you connect to another PC using ssh -X, you can run remote graphical programs and have them display on your machine. Things are still fine if you use sudo, but if you su to another account it will not work: 

[sergio@psi ~]$ sudo xlogo
[sergio@psi ~]$ sudo su
[root@psi sergio]# xlogo
X11 connection rejected because of wrong authentication.
X connection to localhost:10.0 broken (explicit kill or server shutdown).

but you can solve this by 

[root@psi sergio]# xauth merge ~sergio/.Xauthority
[root@psi sergio]# xlogo

(of course it must be ~your_user/.Xauthority).

Once in a while, check your xauth list and, if there is too much old stuff, use xauth remove, or just rm .Xauthority and login again.