www.shermania.net

Today's lesson is about public key authentication with SSH. I use SSH to connect remotely to all sorts of systems, but beyond the simple terminal I use it to encapsulate file transfers, and newly, subversion requests. Entering a password every time I make a connection doesn't seem like such a big deal, but once you start using svn+ssh, it keeps prompting you on every single operation.

svn list ..... enter password
No, that wasn't the right directory
svn list other directory ... enter password
Ah, there it is
svn checkout file ...................... ENTER PASSWORD

The answer is using public key authentication. What's that? Public keys? like PGP? Yes, like that, but actually useful this time.

It turns out ssh servers don't rely on passwords as the only means of user authentication. You can trade public keys, too. If you set up the server with your public RSA and DSA keys, then it can encode everything using it and only you, sitting on your machine logged into your account with the matching private key, can decrypt it. What's the point of a password when you have that kind of guarantee?

So here's what you do. You have a client machine (for me it's camaro here, my desktop). You have a server you're going to be logging into a lot (I'll be using the shermania.net server).

First thing you need to do is generate your keys. On your client machine, the program is ssh-keygen

sherman@camaro:~$ ssh-keygen

The default is to generate the RSA key used for SSH2 (that's good).
For good measure we'll also generate the DSA key, in case the system wants to use that.

sherman@camaro:~$ ssh-keygen -t dsa

Each of these will ask you for a location to store the key. The default of .ssh/id_$$$ is a good idea, so just hit enter to accept it. It will also ask you for a passphrase. This passphrase is used to lock the key, so when you go to set it up somewhere new you need to know the passphrase to activate it. This adds another level of security. You can leave it blank if you really want to.

So you now have your personal key pairs. Let's install them on the server. There happens to be a neat utility that handles it for you called ssh-copy-id. Using that is really straightforward:

sherman@camaro:~$ ssh-copy-id sherman@shermania.net

It will prompt you for the normal SSH login password for the remote server. This will be the last time you need to enter the password when logging in from this machine.
The program does a little magic, and then it's done! You're ready to open all the connections you want without being bothered to enter passwords.

Of course password authentication will still be needed if you log in from another computer, but if you know you're going to do a lot of work from one particular station, this can save you a lot of typing-time.

Reference: https://help.ubuntu.com/community/SSHHowto