How Interesting...
August 6, 2018

Using SSH Key-pairs to better secure connections to remote servers - Mac

Posted on August 6, 2018  •  3 minutes  • 619 words
Table of contents

This article shows how to set up a SSH key pair to allow you to log into servers in a quick, simple and secure way from your Mac. It’s certainly worth doing if you log onto remote servers regularly.

What is an SSH key-pair?

I get asked this question a lot at work, and the concept is a little bit strange if you’re new to it. A key-pair is a pair of keys which are generated at the same time by a cryptographic algorithm. They only work with each other and each key-pair is unique. A Public Key is useless without the Private Key, and this goes on your remote host, and is perfectly secure to do so.

Keys and Locks

You could think of the Public Key as a physical padlock on a door, where everyone is able to see the lock, but nobody can unlock it. Your unique private key - that you keep safe in your pocket - is the only key able to unlock the padlock. The lock is useless to anyone without the correct key.

Once your key is used with the lock, the lock becomes open and you’re able to gain access.

The process

What happens is when your client sends a connection request to the server that contains the Public Key, the server responds with an encrypted challenge request using the shared Public Key information. Your client decrypts the challenge message and responds back to the server. The secure connection is then established if the response matches the Public Key.

Key-pairs are more secure than passwords as they’re much much harder to attack via brute force. The Private Key is never transmitted to the remote host, so it can never be compromised. They’re also more convenient, as Public Keys can be saved upon your remote hosts for reuse, removing the need to manually authenticate.

Generating and using a Public/Private Key Pair on your Mac

  1. Start your Terminal and run the following:
    ssh-keygen

  2. Leave the location defaults as they are, and when you are prompted for a Passphrase - create one if you wish (recommended). A Passphrase is a password for your key and adds an extra layer of security to it by encrypting it. If you use a passphrase, it’s used to encrypt the Private Key. Think of it as a lock-box for your key. This process will create two files.
    These are your Private and Public Keys respectively:
    a. id_rsa
    b. id_rsa.pub

  1. Copy your Public Key to your remote host. There’s a utility exactly for this purpose to upload it - ssh-copy: ssh-copy-id -i ~/.ssh/id_rsa.pub chris@linuxhost
    Remember to use your Unix username@ as shown above.

  2. Now you need to store the Private Key in your Mac Key-chain. Just do this once:
    ssh-add -K ~/.ssh/id_rsa
    Enter your key passphrase, and you won’t be asked for it again.

Tip 🚀

(If you’re on an earlier version of OSX (pre-Sierra), you’re done, the rest is not required).

  1. Configure SSH to always use the Mac key-chain

Check to see if ~/user.name/.ssh/config exists. If it doesn’t yet - create it and add the following text. Replace my Unix username with your own. This will now become default. To log in to a server with a different username, simply use the standard username@hostname method.

1Host *
2User chris
3UseKeychain yes
4AddKeysToAgent yes
5IdentityFile ~/.ssh/id_rsa

Using the new Key-pair and Config

You should now be able to log into your remote host by simply typing the following in the terminal. No password or username required as this is now automatic.
ssh linuxhost

Your Mac should now read your identity file and key-chain to complete the missing information, such as the location to your Private Key and your username.

Socials / Links

I tweet tech, bad jokes and silly memes