SSH Access Using Public / Private DSA Or RSA Keys

These should already be installed, but just in case:

yum install openssh-server openssh-client openssh

Using ssh-keygen to generate your keys:

(you will have a public key that you copy to the computers you'll be accessing, and a private key that does not leave your system ever)

Do not give out, store remotely or otherwise expose your private key to the outside world or you defeat the purpose entirely of using encrypted keys. Doing so is the equivalent to locking the door to your house and leaving the keys in the handle for anyone to use/take.

We'll be using RSA in this example however, you're perfectly welcome and able to use DSA if you so choose. The difference is RSA, by default, uses a 2048 bit key and can be up to 4096 bits, while DSA keys must be exactly 1024 bits as specified by FIPS 186-2. It is unlikely you'll need a 4096 bit key as some things do not support them (Some Cisco VPN concentrators, PDA or cellphone technology, etc) and are viewed by many as "unbreakable" even with the most expensive government computer systems. With that said we'll give the following command to create our public/private keypair:

cd ~/.ssh
[user@localhost .ssh]$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa): (If you only plan on using one system, press enter. If you plan on using several give this file a unique name, see below)
Enter passphrase (empty for no passphrase): (always use a passphrase)
Enter same passphrase again:
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
e5:06:05:64:ec:e9:9c:9b:f6:bd:d2:48:8a:de:bf:ba user@localhost

IMPORTANT: The .ssh directory must have a permission of 700 and the authorized_keys file within that directory must have a permission of 600 to work for passwordless entry (there will be a password for the key itself). To accomplish this give the following commands as the user you will be using to ssh with:

chmod 700 ~/.ssh; chmod 600 ~/.ssh/authorized_keys

Note: If you're using a laptop which has the possibility of being lost or stolen or you're using several systems, you may consider using separate public/private keypairs and simply update/add to the authorized_keys file on the target systems. Remember that the private key should never leave the machine it was created on. If the laptop is then lost or stolen you can simply remove the reference to the key on the target machines authorized_keys file. You'll need to use a naming system that allows you to quickly identify which key belongs to which host(s) as well.

Here are some simple examples:

Enter file in which to save the key (/home/user/.ssh/id_rsa): id_rsa.dev
Enter file in which to save the key (/home/user/.ssh/id_rsa): id_rsa.laptop1
Enter file in which to save the key (/home/user/.ssh/id_rsa): id_rsa.desktop

[user@localhost .ssh]$ ssh-copy-id -i id_rsa.pub 192.168.0.2
user@192.168.0.2's password:

Now try logging into the machine, with "ssh '192.168.0.2'", and check in:
~/.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.

[user@localhost .ssh]$ ssh 192.168.0.2
Enter passphrase for key '/home/user/.ssh/id_rsa':
Last login: Tue Mar 23 16:04:23 2010 from foo.comcast.net
[user@remotehost]$

[root@localhost]$ su - user
[user@localhost ~]$ vi ~/.bash_profile

add these lines at the bottom and logout/login or give the command:
source ~/.bash_profile

SSHAGENT=/usr/bin/ssh-agent
	  SSHAGENTARGS="-s"
	  if [ -z "$SSH_AUTH_SOCK" -a -x "$SSHAGENT" ]; then
            eval `$SSHAGENT $SSHAGENTARGS`
	    trap "kill $SSH_AGENT_PID" 0
	  fi


[root@localhost]$ su - user
(skip this step if you used the source command above)
Password:
Agent pid 24646

[user@localhost ~]$ ssh-add
Enter passphrase for /home/user/.ssh/id_rsa:
Identity added: /home/user/.ssh/id_rsa (/home/user/.ssh/id_rsa)

[user@localhost ~]$ ssh 192.168.0.2
Last login: Tue Mar 23 15:57:10 2010 from foo.comcast.net
[user@remotehost ~]$

You should now be able to use the above sequence to login passwordless to any system you've copied your id_rsa.pub / authorized_keys file to. Login, use the ssh-add command, give your passphrase once and you should be able to login passwordless. You will be added to the ssh-agent for the remainder of your session until you logout, you'll need to re-verify your passphrase with each new login session. This verification is needed to prove you are the owner of the key.