It's actually pretty straightforward; keep in mind that SSH is user oriented, not server oriented (well, mostly) for our purposes.
What you do is log in and execute ssh-keygen
. That creates a directory in your home directory named .ssh
and generates two files in that directory: id_rsa
, the private and public keys. You would repeat this for every user account that needs to have SSH access between machines (you do not
copy these keys from one account to another, you generate unique keys for each account).
When you execute ssh-keygen
you will be prompted for a pass phrase, just hit the return key for the pass phrase and the "enter it again" prompts (this is not a security hole, it just makes your life a little easier). Try not to confuse the pass phrase with the account password as we go alone here -- they're not the same.
That will allow an external user to connect with SSH and log in as the user you generated the keys for (using the password for the account); generally, SSH is used by a user to connect to his or her own account remotely.
There are some tricks you can do, one of them being remote log in without a password (this is the real benefit of secure log in with the public and private keys).
Those two files? One of them, id_rsa.pub
, can be copied to another server and allow password-less connection (you never
copy the private key anywhere, only the public key).
Let's say you've got two servers, fubar
that you wish to allow password-less connections for one or more users on. Let's say that the user is you and your log in on both machines is john
and you have already generated the publich and private keys on each machine using ssh-keygen
. So, you log in on fubar
and do this:
fubar: cd .ssh
fubar: cp id_rsa.pub fubar
fubar: ssh snafu
<enter snafu's password>
snafu: cd .ssh
snafu: cp id_rsa.pub snafu
snafu: ^D (or exit)
What you've done is create a file on each machine, named the machine name, containing the public key; you're going to copy those files to the other machine:
fubar: pwd < make sure you're still in the .ssh directory)
fubar: sftp snafu
fubar: cp snafu authorized_keys
What you've done is, from fubar
, connected to snafu
and copied the file you created above containing the public key and copied that public key into the file authorized_keys
in the .ssh
directory. Now you might see the reason for naming the public key files something other than id_rsa.pub
so you can conveniently copy them to another server and not overwrite the existing id_rsa.pub
file there -- think about doing this on five or six machines and you may get the idea.
OK, so now snafu
can connect to fubar
and you need to do the same thing in the other directory; assuming you're still on fubar
cp fubar authorized_keys
You've copied the public key file from fuabr
and copied that into authorized_keys
Now they can talk to each other without a password.
The next thing you want to do is create a file named config
in the .ssh
directories on each machine. On fubar
, it will look like this:
Do the same thing on snafu
, changing the Host
Once you've done all this, you can connect to either machine without a password. For example, if you're working on snafu
, you can simply
and you're connected (and vice versa).
If you have a bunch of servers that you need to work on, simply repeat the above stuff for each one. The line in config
for the user account name permits you to have different accounts on other servers that may connect without a password -- pretty slick, that.
Now there is an excellent article that will explain much of the above (plus some other interesting things), see http://www.linuxjournal.com/article/6602
. It's an oldie but a goodie.
Hope this helps some.