One of the most convenient ways to login to a server with SSH, is with certificates. Although the principle is pretty well documented all over the internet, I still found some issues setting it up myself from my Mac, hence this walk through.
I have tried to make a simple, condensed walk through. It does require that you know what SSH is and how to use it.
(I also created Windows/PuTTY walk through)
This example sets up certificates to login to the server strelitzia.net with the userID jeroen. This is not possible. So do not bother to try to hack you way into this system, as I cannot SSH into it at all. It is used as an example for you and myself.
You NEED to change only two things. Every time you read ‘stelitzia.net’ you should replace it with your own server. Every time you read ‘jeroen’ you should use your own userID. Be careful not to change anything else!
You start by opening a terminal. (If you don’t know how to do this, this tutorial is not for you!)
Type this command to create a key:
ssh-keygen -b 2048 -C jeroen-2048 \ -f ~/.ssh/jeroen2048.key -t rsa
ssh-keygen is the OSX application to create keys. In this example we created a 2048 bit key (-b 2048) with a comment ‘jeroen-2048’ (-C jeroen-2048). This comment is displayed when you need to provide the keys password. We create the file with the key (-f ~/.ssh/jeroen2048.key) in the subdir .ssh in your homedir. We actually create two files: your private key, which should be remain secret at all cost, and a public key, which can be shared with theoretically anybody (it will be named jeroen2048.key.pub). Finally we create keys with the RSA algorithm (-t rsa).
Be sure to use a pretty good password for the private key. Some people skip the password as they would not gain any conveneince by merely substituting their login password for their private key password, but as our password will be kept conveniently in the OSX keychain, we could easily protect it with a proper password!
Next step is to copy the public key to the server. This can be done in ‘one line’:
ssh firstname.lastname@example.org \ "echo `cat ~/.ssh/jeroen2048.key.pub` \ >> ~/.ssh/authorized_keys"
Please be aware that you need to provide your ‘normal’ password for the server, and not the new, certificate password! You are merely logging in with SSH, still without certificates. Probably for the last time! So make sure you logout of your server again.
This command opens a Secure SHell and appends your public key to the authorized keys on the server.
In principle you are done. But we do one more step to make it even more convenient.
We are going to create a config file to store all settings of your ssh connections. These four lines are sufficient, but there are plenty of options to make fully utilize ssh:
vi ~/.ssh/config Host strelitzia HostName strelitzia.net User jeroen IdentityFile ~/.ssh/jeroen2048.key
Each entry in this config file starts with Host (so you can create multiple connections). This is not fully true, if you read the manual, but is enough to remember to make it work! The Host is an alias, so you can write whatever you want. The HostName is the official address you want to connect to. The user is the userID to open the connection for and the IdentityFile is your private key.
After all this is done, you can simply login with
(See I used the alias?)
You will be prompted once by the OSX KeyChain app to provide the password for your private key and you will be logged in. The next time your password will be provided by the KeyChain app, if you make it save your password.
One final note: changing to certificates is not only for convenience as I might have led you to believe in this article. It also creates a stronger authentication, but you need to remove password authentication from your sshd-configuration on your server.