If you’re like me, you find yourself connecting to the same servers 15-20 times a day. Why not set up Shared Key Authentication? It makes establishing an SSH connection much easier but also makes setting up scripting much easier as well.
However, before skipping on down to the instructions, please make note of the following. If you run 20 servers and allow all 20 servers to use Shared Authentication to communicate with all other 20 servers, and just ONE of those servers gets compromised, all your servers are now compromised.
One way to help avoid this is to disable Password authentication all together, brute force hacking attempts on your password are now rendered useless.
Its a fairly good idea not to overuse Shared Key’s.
For example, given the situation above, is it really necessary for all 20 machines to communicate with all the other machines? Only allow machines to trust other machines if they really need to.
Also its a very good idea NOT to allow the root user the ability to use Shared key Authentication. Its better to connect using a normal account and set up the root from there.
With the preliminaries out of the way, lets get down to business. This is actually VERY easy to set up.
Lets say you have two servers you want to trust each other. To keep things simple, let’s name them Bart and Lisa. We’ll say I have an account on both machines called Brandon.
Here’s how you start:
brandon@bart:~$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/brandon/.ssh/id_rsa): [enter]
Enter passphrase (empty for no passphrase): [enter]
Enter same passphrase again: [enter]
Your identification has been saved in /home/brandon/.ssh/id_rsa.
Your public key has been saved in /home/brandon/.ssh/id_rsa.pub.
The key fingerprint is:
Ok, when it asks you where to save the file just accept the default and hit enter. Do the same when prompted for a passphrase. If you don’t do this, you’ll have to enter a password every time you use the key pair and void the entire reason were setting this up. =)
Fortunately,that was the hardest part.
Your next step will be to get the public key over to the server, named Lisa, that we are connecting to. You can do this pretty much anyway but I just scp’d it over.
brandon@bart:~$ scp .ssh/id_rsa.pub lisa:.ssh/authorized_keys
Now the above will only work if Lisa is on the local network, otherwise you’ll want to replace Lisa with the server’s IP address, like so:
brandon@bart:~$ scp .ssh/id_rsa.pub 126.96.36.199:.ssh/authorized_keys
That’s it. Now lets try to SSH over.
If you did everything right, you shouldn’t be prompted for a password when you SSH over to Lisa from Bart
brandon@bart:~$ ssh lisa
brandon@bart:~$ ssh 188.8.131.52
and you should be presented with!
Now that’s cool.
Also note that this is a one way trust. Meaning Lisa trusts Bart to connect to her, but Bart still doesn’t trust Lisa. If you want to establish a two way trust, simply repeat the same instructions the other way around.
If you have any questions regarding this process please feel free to leave a comment and I’ll do my best to answer your question.