I’m incurably lazy, and as we all know, lazy techs like to automate (ltla?).
I ssh a lot into my personal servers, and I get tired of having to type
ssh email@example.com, and then enter my password. So I got smart.
Since I’m on a Mac, the first thing I did was grab iTerm2. This lets me create simple profiles so with a click, I can log in to any of my servers. When I was using Windows, I used PuTTY and the add-on for Connection Manager.(The real PuTTY CM site is gone, and binarysludge just keeps a copy on hand for the same reasons I do. You never know when you need it. Mine’s in my Dropbox storage.)
What I really loved about PuTTY CM was that I could fill the pref file with my accounts and passwords, and then one-click connect to any of my servers. This was as The Bank Job, where I had a couple hundred servers to do this with, and when I had to change my password, I could search/replace that file. I know, it’s not secure. At DreamHost, I had the same, but they scripted it so I can sudo in with a handy call that I’m in love with. As long as I remember my password, I’m fine. But see, I told you, I’m horribly lazy and I hate having to log in with my password, then sudo again with my password.
The first step for this is to make an rsa key pair. This is a fancy way of telling both computers to trust each other, so on your personal computer (we’re assuming linux here), go to your home folder and type this:
[Laptop] $ ssh-keygen -t rsa
You’ll be presented with a series of informative notes and questions. Accept all the defaults, and keep your passphrase empty.
Generating public/private rsa key pair. Enter file in which to save the key (/home/ipstenu/.ssh/id_rsa): Created directory '/home/ipstenu/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/ipstenu/.ssh/id_rsa. Your public key has been saved in /home/ipstenu/.ssh/id_rsa.pub. The key fingerprint is: 3e:4f:05:79:3a:9f:96:7c:3b:ad:e9:58:37:bc:37:e4 ipstenu@[Laptop]
This saves your public ‘key’ in the
.ssh folder (yes, it’s a folder)
Now we have to setup the server (halfelf.org for example):
[Laptop] $ ssh firstname.lastname@example.org mkdir -p .ssh email@example.com's password:
This will SSH into halfelf as ‘myaccount’ and create a folder called
.ssh. You only need to do this once, so after you set up the key for one computer, you can skip this the next time.
Finally we’re going to append the public key from my laptop over to HalfElf, so it trusts me:
[Laptop] $ cat .ssh/id_rsa.pub | ssh firstname.lastname@example.org 'cat >> .ssh/authorized_keys' email@example.com's password:
The reason we’re appending is so that if I decide I want to add my Work Laptop, I can just make the key, and then repeat that last command and it will add it to the bottom, trusting both.
There’s a caveat here, which caught me last week. I set everything up for my new server, ElfTest, and then moved the server to a VPS. The IP changed, so the trusted key was invalid. You see, every time you connect to a server for the first time, it asks you to trust it. If anything in that fingerprint changes, you have to re-trust. This is annoying:
The authenticity of host 'elftest.net (111.222.333.444)' can't be established. RSA key fingerprint is f3:cf:58:ae:71:0b:c8:04:6f:34:a3:b2:e4:1e:0c:8b. Are you sure you want to continue connecting (yes/no)?
After you respond “yes” the host gets stored in
~/.ssh/known_hosts and you won’t get prompted the next time you connect. When it became invalid, I had to go edit that file and delete the entry for elftest (it’s partly human readable, so it wasn’t too bad).
If you hate this as much as I do, and you feel you’re immune to man-in-the-middle attacks, there’s a nifty command:
ssh -o "StrictHostKeyChecking no" user@host
This turns off the key check. Generally speaking? Don’t do this. I’ve actually only done it once. (This was at the bank, where I was behind so many firewalls, if you’d gotten to my computer, I was in trouble anyway.)