Basic understandbing of the SSH, SSH-KEYGEN, SSH-COPY-ID
Posted by Mir Sayeed Hassan on November 21st, 2023
Basic understandbing of the SSH, SSH-KEYGEN, SSH-COPY-ID
Before you proceed make sure the OpenSSH is Installed on your server.
1st time when you connect with the server as SSH “Prompt yes”
[s.hassan@test-ansible ~]$ ssh 192.168.***.131 The authenticity of host '192.168.***.131 (192.168.***.131)' can't be established. ECDSA key fingerprint is SHA256:FN8ujGxTo1RxvSl3cgNW4Rcvfc2iiWgI3Keg0wePyh4. ECDSA key fingerprint is MD5:2b:91:44:32:53:2d:32:51:cb:ff:7b:65:a0:e1:33:4a. Are you sure you want to continue connecting (yes/no)? yes Last login: Tue Nov 21 14:19:07 2023 from *192.*168***.***
2nd time it will not asked the Prompt.
[root@test-ansible ~]# ssh 192.168.***.131 Last login: Sat Nov 11 15:35:58 2023 from test-ansible
Check the default SSH Config.
[root@test-ansible ~]# ls -la .ssh total 32 drwx------. 2 root root 4096 Nov 11 15:40 . dr-xr-x---. 4 root root 4096 Nov 11 15:48 .. -rw-r--r--. 1 root root 177 Nov 11 15:15 known_hosts
Here we don’t have any ssh-key except the default known_hosts
Let us create a SSH-KEYGEN with below command
[root@test-ansible ~]# ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/root/.ssh/id_rsa): Created directory '/root/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/id_rsa. Your public key has been saved in /root/.ssh/id_rsa.pub. The key fingerprint is: SHA256:IkbSsC7qjv98GNGncG85FN8a2+QNIQt8j9Y683eMPNk root@test-ansible The key's randomart image is: +---[RSA 2048]----+ | . . | | + + o . | | o o. = B . | | . oo o o * * | |. . o+.=So O o | |.. .....= * o . | |. o . . + . = | |o .. . . * E| |o+..o. . o | +----[SHA256]-----+
Generate SSH-KEYGEN with type & comment.
[root@test-ansible ~]# ssh-keygen -t ed25519 -C "MIR_ANSIBLE" Generating public/private ed25519 key pair. Enter file in which to save the key (/root/.ssh/id_ed25519): Enter passphrase (empty for no passphrase): Enter same passphrase again: mir Your identification has been saved in /root/.ssh/id_ed25519. Your public key has been saved in /root/.ssh/id_ed25519.pub. The key fingerprint is: mir SHA256:fR1g6yOeqBhbtzN8RCrFqhzS1FuH8FD9SzNMjlWI4dA MIR_ANSIBLE The key's randomart image is: +--[ED25519 256]--+ | .oo.ooo. | | o oE.+o | | . = ..B. . | | . . *.+.B. . | | o =S+o.++. | | . o + .o.+.. | | o.o.oo.o | | o= o+.. | | o . .+ | +----[SHA256]-----+
Note: -t : type (Here we have use the default secure type: ed25519)
-C : you can place any comment you want
/root/.ssh/id_ed25519 : default location
passphrase : password you require
Verify the ssh config.
[root@test-ansible ~]# ls -l .ssh total 24 drwx------. 2 root root 4096 Nov 11 15:40 . dr-xr-x---. 4 root root 4096 Nov 11 15:48 .. -rw-------. 1 root root 444 Nov 11 16:06 id_ed25519 -rw-r--r--. 1 root root 93 Nov 11 16:06 id_ed25519.pub -rw-r--r--. 1 root root 177 Nov 11 15:15 known_hosts
Note:
id_ed25519: Private Key
id_ed25519.pub: Public Key
Verify the contents of Public Key
[root@test-ansible ~]# cat .ssh/id_ed25519.pub ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL6EVJctvsxnc2NzWOdjON58j9hb8wCmMicyUE+74Tfs MIR_ANSIBLE
Verify the Private Key
[root@test-ansible ~]# cat .ssh/id_ed25519 -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jYmMAAAAGYmNyeXB0AAAAGAAAABAjQhvVtG vl+a+EUJXtH0hqAAAAEAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIL6EVJctvsxnc2Nz WOdjON58j9hb8wCmMicyUE+74TfsAAAAkAmpz2V28OA2cwyCj5OoUDK+dNX18o3ev69Ytk iDtavmDJAAr0T7mzI9/T7NqZAZDHOt37TqXiNWBUKJxRjBq7/qy7OsaN0Z5O3+X2QHvE3t h0ijJ6K3SSR4wk5WXtSXJNcKuGqNh4/pwzH/MvWUUu1BEX5tM0bTYlT+B6Yg7KONkCTP9g rVFHxrh3w4QP3seg== -----END OPENSSH PRIVATE KEY-----
Copy the SSH-COPY to same server and another server
[root@test-ansible ~]# ssh-copy-id -i .ssh/id_ed25519.pub 192.168.***.131 /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_ed25519.pub" /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys root@192.168.***.131's password: Number of key(s) added: 1 Now try logging into the machine, with: "ssh '192.168.***.131'" and check to make sure that only the key(s) you wanted were added.
Note: -i : stand for input file fallowed by name of keyfile
Verify the Authorized Key Generated on server
[root@test-ansible ~]# ls -la .ssh/ total 32 drwx------. 2 root root 4096 Nov 11 16:14 . dr-xr-x---. 4 root root 4096 Nov 11 15:48 .. -rw-------. 1 root root 93 Nov 11 16:14 authorized_keys -rw-------. 1 root root 444 Nov 11 16:06 id_ed25519 -rw-r--r--. 1 root root 93 Nov 11 16:06 id_ed25519.pub -rw-r--r--. 1 root root 177 Nov 11 15:15 known_hosts
View the contents of authorized key
[root@test-ansible ~]# cat .ssh/authorized_keys ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL6EVJctvsxnc2NzWOdjON58j9hb8wCmMicyUE+74Tfs MIR_ANSIBLE
Copy SSH-KEYGEN to the another server
[root@test-ansible ~]# ssh-copy-id -i .ssh/id_ed25519.pub 192.168.***.132 [root@test-ansible ~]# ssh-copy-id -i .ssh/id_ed25519.pub 192.168.***.133
Note: Like wise we can copy to multiple server
Connect to the server with passphase
[root@test-ansible ~]# ssh 192.168.***.131 Enter passphrase for key '/root/.ssh/id_ed25519': [Provide the Password] Last login: Sat Nov 11 16:18:19 2023 from test-ansible
Create a another SSH-KEYGEN without passphase
[root@test-ansible ~]# ssh-keygen -t ed25519 -C "NEWANSIBLE" Generating public/private ed25519 key pair. Enter file in which to save the key (/root/.ssh/id_ed25519): /root/.ssh/newansible Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /root/.ssh/newansible. Your public key has been saved in /root/.ssh/newansible.pub. The key fingerprint is: SHA256:zjCYaXGo8tmStKPwho2dHFxu1HY5XTbP9AUQJOsWqN0 NEWANSIBLE The key's randomart image is: +--[ED25519 256]--+ | ..+o.. | | . . o+ . .| | o.. .ooo = ..| | .o*oo+o.. o .| |..o+=.+.S.E | | +o*o = . | |.*B+. o | |+o*o | |... | +----[SHA256]-----+
Simillary you can copy this to another server
[root@test-ansible ~]# ssh-copy-id -i .ssh/newansible 192.168.***.131 /usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/newansible.pub" /usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed /usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys Enter passphrase for key '/root/.ssh/id_ed25519': Number of key(s) added: 1 Now try logging into the machine, with: "ssh '192.168.***.131'" and check to make sure that only the key(s) you wanted were added.
NOTE: Here don’t give the passphase (as we have not added)
Similarly you can copy to the another server without the passphase
[root@test-ansible ~]# ssh-copy-id -i .ssh/newansible 192.168.***.132 [root@test-ansible ~]# ssh-copy-id -i .ssh/newansible 192.168.***.133
Here you can verify the key
[root@test-ansible ~]# cat .ssh/authorized_keys ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL6EVJctvsxnc2NzWOdjON58j9hb8wCmMicyUE+74Tfs MIR_ANSIBLE ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPIeUIkDlUKzL/ZxDbhZBx/x2HO4STftNllCdNQadnpn NEWANSIBLE
Login to the server from the workstation to another server.
[root@test-ansible ~]# ssh -i .ssh/newansible 192.168.***.131 Last login: Sat Nov 11 16:18:24 2023 from test-ansible [root@test-ansible ~]# ssh -i .ssh/newansible 192.168.***.132 Last login: Sat Nov 11 16:18:24 2023 from test-ansible [root@test-ansible ~]# ssh -i .ssh/newansible 192.168.***.133 Last login: Sat Nov 11 16:18:24 2023 from test-ansible
NOTE: Here we are connected without the passphase
Check the process id for ssh-agent
[root@test-ansible ~]# eval $(ssh-agent) Agent pid 28749
Verify the process running backgriup
[root@test-ansible ~]# ps -aux | grep 28749 root 28749 0.0 0.0 72484 776 ? Ss 16:31 0:00 ssh-agent root 28751 0.0 0.0 114292 2268 pts/8 S+ 16:31 0:00 grep --color=auto 28749
Add by using SSH-ADD
[root@test-ansible ~]# ssh-add Enter passphrase for /root/.ssh/id_rsa: Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa) Identity added: /root/.ssh/id_ed25519 (ansible)
Create an alias
[root@test-ansible ~]# alias ssha='eval $(ssh-agent) && ssh-add'
[root@test-ansible ~]# ssha Agent pid 28769 Enter passphrase for /root/.ssh/id_rsa: Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa) Identity added: /root/.ssh/id_ed25519 (ansible)
Permanently store the “alias” in bash rc profile.
[root@test-ansible ~]# vi .bashrc ## ssh agent alias ssha='eval $(ssh-agent) && ssh-add'
[root@test-ansible ~]# ssha Agent pid 28769 Enter passphrase for /root/.ssh/id_rsa: Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa) Identity added: /root/.ssh/id_ed25519 (ansible)
====Hence tested & verified in our test env====