Simplifying everyday use of SSH
In a previous blog post about organization of ssh connections I introduced SSHMenu. SSHMenu started out as a way to organize SSH connections in a panel applet in GNOME, and that origin is still clear when you use it – even if you use the non-GNOME version.
Edit on 8th of December: It should be noted that the ssh configuration described in this post doesn’t interfere with SSHMenu in any way. So it is possible to have both options available, command line execution for the standard ssh sessions and SSHMenu for those occasions where the extra features supplied are required.
Lately I have been trying to make my work sessions in front of the computer as mouse-less as possible. Creation of SSH sessions is an action I do frequently, so I had to find something else than SSHMenu assist me with those actions. SSHMenu worked fine, but it did require using the mouse for interaction.
I decided to go back to standard command line based SSH usage. Some research into the SSH programs supplied by the default Ubuntu installation showed that all the features I required was available with a little bit of configuration.
Passwordless login
Edit on 8th of December: As pointed out by Grant McLean in the comments the following setup for password less login works perfectly fine with SSHMenu as well, so everyone should take a look at it to make their everyday computer use easier.
The first step was to enable password less login, since retyping (and remembering) passwords on a dozen different servers is very tedious. The programs needed for this is installed by default on almost every *nix system, they are ssh-keygen and ssh-add.
To create the login key which will replace our password we need to use ssh-keygen. This is a very simple program that creates a set of keys, one public and one private, required to login on remote servers. This key combination is password protected so even if someone else gets hold of your keys they won’t be able to use them without cracking your password. The first step in creating your keys is to issue the following command:
ssh-keygen -t rsa
It is possible to specify dsa instead of rsa as key type, but rsa showed to be the stronger one from my research. Following that a series of questions about storage location and passphrase will be asked. A stanard key generation session will look as follows:
1 2 3 4 5 6 7 8 9 | $ ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (/home/michael/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/michael/.ssh/id_rsa. Your public key has been saved in /home/michael/.ssh/id_rsa.pub. The key fingerprint is: f6:61:a8:27:35:cf:4c:6d:13:22:70:cf:4c:c8:a0:23 michael@hyrule |
In this session I decided to use the default storage location, so I just pressed enter when asked about that. For the passphrase I did enter a password, but as usual no characters were printed as I typed it. As we see from line 6 and 7 two files were created, .ssh/id_rsa and .ssh/id_rsa.pub.
The .ssh/id_rsa is your private key file. This file should be kept secret, since it is used to authenticate you when you log in on the remote server.
The .ssh/id_rsa.pub contains your public key which will be registered on the servers you want to login on. As such this key file can be made public without a negative effect on your security. Having this file, or at least the contents of it, public will also make it easier for server administrators to give you ssh access. There are two standards way to register your authentication key on a remote machine.
The first way is to use the ssh-copy-id command.
ssh-copy-id -i ~/.ssh/id_rsa.pub user@remote.com
This command will register the ~/.ssh/id_rsa.pub on your account on the remote machine (user@remote.com).
The manual way of doing the job of the ssh-copy-id is a bit more work, but still very easy. First you have to log in on the remote machine. Then you need to open the ~/.ssh/authorized_keys. At the end of this file (or on the first line if you just created the file) you should append the contents of your local ~/.ssh/id_rsa.pub file. This should be a single line filled with lots of random characters, though the first word should be ssh-rsa and the last word should be your local username and computer name.
Once that is done you should now be able to log in on that remote server without using your password on that server, instead you’ll be asked for the passphrase used when you created you ssh-rsa key. This doesn’t really help much though, you only have to remember one password for all your ssh servers but you still have to type it when you log in. As with every tedious work process there is a way to automate this on Linux. The magic command for this is ssh-add.
The ssh-add command without any paramters will add your private keys to the current ssh-agent session. On Ubuntu the ssh-agent session is started by default, but on other system you’ll have to execute that command yourself when you log in. When you run the ssh-add command you’ll be asked for the password for each personal key registered. If you didn’t have any keys when you started reading this post you’ll only be asked for the password for a single key. From now on you should be able to log in on your remote server without needing to enter any passwords.
For each remote server you need access to you should register your ssh key using the ssh-copy-id command. This will enable you to log into them without enter a password once you have run the ssh-add command. I’ve setup my system to run the ssh-add command when I start Ubuntu, so once I have typed the password once I can create SSH sessions without typing another password.
Shorthand for adresses, ports and other stuff
We are now able to log in on any remote server without typing our password, but still we need to remember the various host names, different usernames and possibly strange port numbers. To alleviate this problem you can register the hosts in your local ~/.ssh/config/ file. This file can contain a list of ssh hosts, and specialized options for each one. An entry for a single host looks as follows:
Host *test01 HostName test01.web.com User testman Port 4022
The first line defines the local name given to the host settings that are following, in this case the name is test01. Here I have registered the host name of the server (test01.web.com), my username on that server (testman) as well as a custom port (4022) to use. The only line required is the Host *... to give the settings a local name, and the HostName ... line to tell what server to log into.
ssh test01The above command is now all that is needed to log in on the remote server, with the username, host adress and port number defined in the ~/.ssh/config file. Assuming we have run the ssh-copy-id command with that server as target we won’t even be asked for a password when we log in. Adding more servers to the ~/.ssh/config file is as easy as adding more blocks similar to the first one, one after another. There are also other options available to set for each server, but the ones gives above are the only ones I’ve found usefull so far.
Another nice thing bonus with setting up SSH this is that scp inherits the same configuration, so copying files between remote computers becomes (almost) as easy as copying files locally.
With all of this done we can now write our password once per session (thanks to ssh-agent), and then log on to costum ssh servers using a costum name which is easy to remember. No more remembering special information about each and every server used!
Grant McLean Said,
December 8, 2008 @ 03:48
I’m a little confused. You seem to be suggesting that setting up public/private keys is a great alternative to SSHMenu. SSHMenu has always integrated with the ssh agent so that you only have to type your pass-phrase once (the first time you try to connect).
Like you, I’m a keyboard junky rather than a pointy-clicky type but the reason I wrote SSHMenu was to integrate with gnome-terminal profiles for background colours and to set up window sizes/positions etc. Also I rely heavily on the bcvi integration but if you’re not a ‘vi’ user then that won’t be much of a draw :-)
Michael Plikk Said,
December 8, 2008 @ 22:52
Thanks a lot for the comment Grant, hope you find something interesting during your visit here! It is always great fun to get a response from those actually creating the software that I use(d).
You’re right that ssh agent works with SSHMenu. I ended up writing about that in this post since I managed to get it configured correctly as a result of looking for alternatives to SSHMenu. It therefore felt natural for me to mention that in the same post. I’ll add a note about it so future readers aren’t led astray.
The reason I liked SSHMenu a lot to begin was the gnome-terminal integration it had, as you mentioned. Recently I switched to Xmonad as a window manager, which has automated window positioning/sizing so I no longer need to have those supplied by another application. I haven’t found a good substitute for the colour-scheme settings available from SSHMenu though, still trying to get that ability back in my current system. If I was still using Gnome I would definitely keep SSHMenu around for when I needed special terminal profiles, since “my” solution doesn’t interfere with SSHMenu.
On the part of using the mouse instead of the keyboard I prefer the current option of opening a terminal window (alt+shif+enter) and then starting the required ssh session there. For me that is less strenuous than moving my hand to the mouse and selecting the SSHMenu.
Thanks a lot for mentioning bcvi. I had not heard of it before, but as a fellow Vim user I’m definitely going to check it out!