Home » Cryptography, Debian, Featured, How-to, Linux, Newbie, Security, Shell, Ubuntu, Xorg

How-to work with ssh keys, agents and other usefull stuff

17 March 2009 2 Comments



Managing more than 80 Linux servers is not an easy job, but with the help of ssh I can distribute a command to all servers without typing, retyping the password every time for that. Don’t understand me wrong, you will need to type a password for accessing this servers, but just one time. If you manage correctly your keys you will don’t need to have any fear in heavy exploiting the ssh keys.

What is SSH ? SSH stands for Secure Shell and is a protocol that allows secure data exchange between two networked machines and is very used under Unix systems. The grandfather of SSH is telnet who was a clear text protocol what was very simple to intercept and very very insecure. All the password between machines was in clear text and with just a simple sniffer was enough to get the password from a telnet session. Opposite of telnet, SSH is based on public-key cryptography to authenticate the remote computer and is very hard to intercept a SSH session (but is not impossible).
SSH can be used for:

1. Log in on remote machines in a shell
2. Execute commands on remote machines
3. Tunneling
4. Port forwarding
5. file transfer associated with SCP and SFTP protocols

1. Creating ssh keys

First of all we need to create our ssh keys what we will use for authentication. For that we will use ssh-keygen. ssh-keygen can generate 2 types of keys: RSA keys for use with SSH protocol version 1, RSA and DSA for use with SSH protocol version 2. Both types of keys are very strong but RSA is much better than DSA because it can use more than 1024 bits for encryption and DSA is fixed at 1024 bits. The main difference between this 2 protocols is speed based and not at security level (at this time). DSA can generate the keys faster and RSA can verify the keys faster, but in this days the differences are to small. Anyway if we think at the future and you want to have a strong key for the years what come then just choose a 4096bit RSA key. You can provide the number of bits what your key should have (more bits = stronger encryption). RSA by default is generating keys with 2048 bits encryption.

root@randombugs:~# ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
b1:46:0c:d4:1d:a6:bc:0d:99:15:c6:f0:47:e7:bc:46 root@randombugs


root@randombugs:~# ssh-keygen -t rsa -b 4096
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
60:3c:c3:77:2f:ae:fc:d0:52:3c:8d:4e:6d:6a:c3:47 root@randombugs

(To sleep well until 2030)

id_{rsa|dsa} is the private key and you can change is location when we are generating the keys.
passphrase is equivalent to a password with the exception you are not limited to some characters and you can use any punctuation sign or letters. Is recommended to have a password bigger than 10 characters contain’g a mix of numbers, upper and lower case letters and non-alphanumeric characters. Don’t use easy guessing words or simple sentences.

YOU CANNOT RECOVER A PASSPHRASE. In case of losing a passphrase the you need to regenerate your key.
id_{rsa|dsa}.pub is the place where the public key is stored. This key can be shared or can be added to the authorized_hosts2 to have a key related login.

Also with ssh-keygen we can do other tasks:

* We can remove all keys from known_hosts what are belonging to a hostname (-R hostname)
* We can search for a key in known_hosts (-F hostname)
* We can hash a known_hosts file (replace all the hostname with hases -H)
* We can change the passphrase of a provate key file (-p)

2. Copying ssh keys to remote hosts

You have 2 possibilities: by hand or with ssh-copy-id. If you use ssh-copy-id without any other parameter, than the hostname, then your id_{rsa|dsa}.pub will be added in your remote host ~/.ssh/authorized_hosts2.

root@randombugs:~# ssh-copy-id user@hosts
user@hosts’s password:
Now try logging into the machine, with “ssh ‘user@hosts'”, and check in:


to make sure we haven’t added extra keys that you weren’t expecting.

You can also specify the file with your public key if you have it in other place than id_{rsa|dsa}.pub

By hand just append id_{rsa|dsa}.pub to ~/.ssh/authorized_hosts2 . If you create ~/.ssh/authorized_hosts2 by hand then just set the correct permissions for it.

Now you are ready to log on the remote machine, but when you are trying to log in you will be asked for key passphrase. So until now nothing different from the ssh without keys (or just a small one, you have the same password for all the hosts).

3. Authentication Agent

ssh-agent is an authentication agent what will hold your private keys for public authentication.

The most important parameters are:
-a bind_address Bind the agent to socket bind_address. Default is /tmp/ssh-XXXXXXXXXX/agent..
-k Kill the current agent
-t life Set a value of maximum lifetime of identities added to the agent (seconds)

To start it just run:

root@randombugs:~# ssh-agent
SSH_AUTH_SOCK=/tmp/ssh-ahMKG32762/agent.32762; export SSH_AUTH_SOCK;
echo Agent pid 32763;

Initially the ssh-agent starts without any key. To add a key you will need to run ssh-add. ssh-add will add your RSA/DSA keys to ssg-agent.

To add all the private keys on your ssh-agent just run ssh-add without any parameter:

root@randombugs:~# ssh-add
Enter passphrase for /home/randombugs/.ssh/id_rsa:
Identity added: /home/randombugs/.ssh/id_rsa (/home/randombugs/.ssh/id_rsa)
Identity added: /home/randombugs/.ssh/id_dsa (/home/randombugs/.ssh/id_dsa)

Now your keys are added to ssh-agent. Now just run ssh user@host … Magic … no password required.

Ok … but to add ssh private keys to an agent without any authentication is not just a good thing. So use

root@randombugs:~# ssh-add -x
Enter lock password:
Agent locked.

to add a password to your agent. Now you cannot add any private keys if you don’t provide the password.

The most important switches for ssh-add are:

-D Deletes all private keys from ssh-agent
-d delete an identify from ssh-agent
-L lists public key parameters of all identities currently represented by the agent.
-t life Set a value of maximum lifetime of identities added to the agent (seconds)
-x Lock the agent with a password.
-X Unlock the agent.

More info ? just read manuals from your Linux machine.

4. Using keychain

keychain was created to help sysadmins to manage ssh-agent session and use one single ssh-agent session for cronjobs, scripts and shell. To install it under Ubuntu or Debian just run

root@randombugs:~# apt-get install keychain

Now if you use bash or zsh just add to your .bashrc

keychain id_rsa id_dsa
[ -z “$HOSTNAME” ] && HOSTNAME=‘uname -n‘
[ -f $HOME/.keychain/$HOSTNAME-sh ] &&
. $HOME/.keychain/$HOSTNAME-sh

Just save and open a new console. You will be asked for private keys passphrase. From now you can log in on every server / workstation where your uploaded your key.

Anyway for other options just run

root@randombugs:~# man keychain

5. Useful stuff
5.1 XForwarding

Sometimes is very useful to have a VNC server on your server, but is not always required. You can “forward” X applications from your server to your workstation through ssh. X is using a client server model so you can forward your X client application to your desktop.

Note:This is not working under windows if you don’t have a X server running.

To do that you will need to enable following options in your ssh server (/etc/ssh/sshd_config).

X11Forwarding yes

Now restart your ssh server and remove the old Xauth files from your home folder

root@randombugs:~# sudo rm -f .Xauth*

Now login on the remote server

root@randombugs:~# ssh -C -X user@hosts

(-C stands for compression) and run

root@randombugs:~# xclock

If is all working ok your should see the xclock running on your desktop.

5.2 SSH Tunnels

Tunnels are in fact port forwards and are 2 types of port forwarding: local and remote.
Local port forwarding forwards a specific traffic what is coming on a local port to a remote host.

root@randombugs:~# ssh user@host -L 3389:

Now if you connect to localhost 3389 you will be forwarded to (where is in remote host network)

Remote port forwarding forwards traffic what is coming to a remote port to a specified local port.

root@randombugs:~# ssh user@host -R 2222:localhost:22

now from host computer just run

root@randombugs:~# ssh -p 2222 localhost

I hope you will not force me to do diagrams to explain local and remote forwarding because I’m a bad “designer”.

Good Luck !


  • Damian said:

    I am use SSH too. And tunneling. Very useful, thanks.

  • Franklin Trevillian said:

    Thanks for posting the detailed tutorial. I actually need this for the current project I am working on.

    This post saved a lot of time. Hope you could post more in the future.

Leave your response!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.

Be nice. Keep it clean. Stay on topic. No spam.

You can use these tags:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

This is a Gravatar-enabled weblog. To get your own globally-recognized-avatar, please register at Gravatar.