Mir Sayeed Hassan – Oracle Blog

Oracle DBA – Tips & Techniques | Learn with real-time examples

  • Translate

  • It’s Me






  • My Certificates

  • Links

    My Acclaim Certification : Credly Profile
    My Oracle ACE Pro Profile

  • Achievements

    Awarded Top 100 Oracle Blogs from Worldwide - #RANK 39
  • VISITORS COUNT

  • Verified International Academic Qualification from World Education Service (WES)

    Verified International Academic Qualification from World Education Service (WES)

  • Jobs

Basic understandbing of the SSH, SSH-KEYGEN, SSH-COPY-ID

Posted by Mir Sayeed Hassan on November 21st, 2023

Basic understandbing of the SSH, SSH-KEYGEN, SSH-COPY-ID

Before you proceed make sure the OpenSSH is Installed on your server.

1st time when you connect with the server as SSH “Prompt yes”

[s.hassan@test-ansible ~]$ ssh 192.168.***.131

The authenticity of host '192.168.***.131 (192.168.***.131)' can't be established.
ECDSA key fingerprint is SHA256:FN8ujGxTo1RxvSl3cgNW4Rcvfc2iiWgI3Keg0wePyh4.
ECDSA key fingerprint is MD5:2b:91:44:32:53:2d:32:51:cb:ff:7b:65:a0:e1:33:4a.
Are you sure you want to continue connecting (yes/no)? yes
Last login: Tue Nov 21 14:19:07 2023 from *192.*168***.***

2nd time it will not asked the Prompt.

[root@test-ansible ~]# ssh 192.168.***.131
Last login: Sat Nov 11 15:35:58 2023 from test-ansible

Check the default SSH Config.

[root@test-ansible ~]# ls -la .ssh
total 32
drwx------. 2 root root 4096 Nov 11 15:40 .
dr-xr-x---. 4 root root 4096 Nov 11 15:48 ..
-rw-r--r--. 1 root root 177 Nov 11 15:15 known_hosts

Here we don’t have any ssh-key except the default known_hosts

Let us create a SSH-KEYGEN with below command

[root@test-ansible ~]# ssh-keygen

Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:IkbSsC7qjv98GNGncG85FN8a2+QNIQt8j9Y683eMPNk root@test-ansible
The key's randomart image is:
+---[RSA 2048]----+
| . . |
| + + o . |
| o o. = B . |
| . oo o o * * |
|. . o+.=So O o |
|.. .....= * o . |
|. o . . + . = |
|o .. . . * E|
|o+..o. . o |
+----[SHA256]-----+

Generate SSH-KEYGEN with type & comment.

[root@test-ansible ~]# ssh-keygen -t ed25519 -C "MIR_ANSIBLE"

Generating public/private ed25519 key pair.
Enter file in which to save the key (/root/.ssh/id_ed25519):
Enter passphrase (empty for no passphrase):
Enter same passphrase again: mir
Your identification has been saved in /root/.ssh/id_ed25519.
Your public key has been saved in /root/.ssh/id_ed25519.pub.
The key fingerprint is: mir
SHA256:fR1g6yOeqBhbtzN8RCrFqhzS1FuH8FD9SzNMjlWI4dA MIR_ANSIBLE
The key's randomart image is:
+--[ED25519 256]--+
| .oo.ooo. |
| o oE.+o |
| . = ..B. . |
| . . *.+.B. . |
| o =S+o.++. |
| . o + .o.+.. |
| o.o.oo.o |
| o= o+.. |
| o . .+ |
+----[SHA256]-----+

Note:      -t : type (Here we have use the default secure type: ed25519)
-C : you can place any comment you want
/root/.ssh/id_ed25519 : default location
passphrase : password you require

Verify the ssh config.

[root@test-ansible ~]# ls -l .ssh
total 24
drwx------. 2 root root 4096 Nov 11 15:40 .
dr-xr-x---. 4 root root 4096 Nov 11 15:48 ..
-rw-------. 1 root root 444 Nov 11 16:06 id_ed25519
-rw-r--r--. 1 root root 93 Nov 11 16:06 id_ed25519.pub
-rw-r--r--. 1 root root 177 Nov 11 15:15 known_hosts

Note:

id_ed25519: Private Key
id_ed25519.pub: Public Key

Verify the contents of Public Key

[root@test-ansible ~]# cat .ssh/id_ed25519.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL6EVJctvsxnc2NzWOdjON58j9hb8wCmMicyUE+74Tfs MIR_ANSIBLE

Verify the Private Key

[root@test-ansible ~]# cat .ssh/id_ed25519

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jYmMAAAAGYmNyeXB0AAAAGAAAABAjQhvVtG
vl+a+EUJXtH0hqAAAAEAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIL6EVJctvsxnc2Nz
WOdjON58j9hb8wCmMicyUE+74TfsAAAAkAmpz2V28OA2cwyCj5OoUDK+dNX18o3ev69Ytk
iDtavmDJAAr0T7mzI9/T7NqZAZDHOt37TqXiNWBUKJxRjBq7/qy7OsaN0Z5O3+X2QHvE3t
h0ijJ6K3SSR4wk5WXtSXJNcKuGqNh4/pwzH/MvWUUu1BEX5tM0bTYlT+B6Yg7KONkCTP9g
rVFHxrh3w4QP3seg==

-----END OPENSSH PRIVATE KEY-----

Copy the SSH-COPY to same server and another server

[root@test-ansible ~]# ssh-copy-id -i .ssh/id_ed25519.pub 192.168.***.131

/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/id_ed25519.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
root@192.168.***.131's password:
Number of key(s) added: 1

Now try logging into the machine, with: "ssh '192.168.***.131'" 
and check to make sure that only the key(s) you wanted were added.

Note: -i : stand for input file fallowed by name of keyfile

Verify the Authorized Key Generated on server

[root@test-ansible ~]# ls -la .ssh/
total 32
drwx------. 2 root root 4096 Nov 11 16:14 .
dr-xr-x---. 4 root root 4096 Nov 11 15:48 ..
-rw-------. 1 root root 93 Nov 11 16:14 authorized_keys
-rw-------. 1 root root 444 Nov 11 16:06 id_ed25519
-rw-r--r--. 1 root root 93 Nov 11 16:06 id_ed25519.pub
-rw-r--r--. 1 root root 177 Nov 11 15:15 known_hosts

View the contents of authorized key

[root@test-ansible ~]# cat .ssh/authorized_keys
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL6EVJctvsxnc2NzWOdjON58j9hb8wCmMicyUE+74Tfs MIR_ANSIBLE

Copy SSH-KEYGEN to the another server

[root@test-ansible ~]# ssh-copy-id -i .ssh/id_ed25519.pub 192.168.***.132
[root@test-ansible ~]# ssh-copy-id -i .ssh/id_ed25519.pub 192.168.***.133

Note: Like wise we can copy to multiple server

Connect to the server with passphase

[root@test-ansible ~]# ssh 192.168.***.131
Enter passphrase for key '/root/.ssh/id_ed25519': [Provide the Password]
Last login: Sat Nov 11 16:18:19 2023 from test-ansible

Create a another SSH-KEYGEN without passphase

[root@test-ansible ~]# ssh-keygen -t ed25519 -C "NEWANSIBLE"
Generating public/private ed25519 key pair.
Enter file in which to save the key (/root/.ssh/id_ed25519): /root/.ssh/newansible
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/newansible.
Your public key has been saved in /root/.ssh/newansible.pub.
The key fingerprint is:
SHA256:zjCYaXGo8tmStKPwho2dHFxu1HY5XTbP9AUQJOsWqN0 NEWANSIBLE
The key's randomart image is:
+--[ED25519 256]--+
| ..+o.. |
| . . o+ . .|
| o.. .ooo = ..|
| .o*oo+o.. o .|
|..o+=.+.S.E |
| +o*o = . |
|.*B+. o |
|+o*o |
|... |
+----[SHA256]-----+

Simillary you can copy this to another server

[root@test-ansible ~]# ssh-copy-id -i .ssh/newansible 192.168.***.131

/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: ".ssh/newansible.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
Enter passphrase for key '/root/.ssh/id_ed25519':

Number of key(s) added: 1

Now try logging into the machine, with: "ssh '192.168.***.131'"
and check to make sure that only the key(s) you wanted were added.

NOTE: Here don’t give the passphase (as we have not added)

Similarly you can copy to the another server without the passphase

[root@test-ansible ~]# ssh-copy-id -i .ssh/newansible 192.168.***.132
[root@test-ansible ~]# ssh-copy-id -i .ssh/newansible 192.168.***.133

Here you can verify the key

[root@test-ansible ~]# cat .ssh/authorized_keys

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIL6EVJctvsxnc2NzWOdjON58j9hb8wCmMicyUE+74Tfs MIR_ANSIBLE
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPIeUIkDlUKzL/ZxDbhZBx/x2HO4STftNllCdNQadnpn NEWANSIBLE

Login to the server from the workstation to another server.

[root@test-ansible ~]# ssh -i .ssh/newansible 192.168.***.131
Last login: Sat Nov 11 16:18:24 2023 from test-ansible

[root@test-ansible ~]# ssh -i .ssh/newansible 192.168.***.132
Last login: Sat Nov 11 16:18:24 2023 from test-ansible

[root@test-ansible ~]# ssh -i .ssh/newansible 192.168.***.133
Last login: Sat Nov 11 16:18:24 2023 from test-ansible

NOTE: Here we are connected without the passphase

Check the process id for ssh-agent

[root@test-ansible ~]# eval $(ssh-agent)
Agent pid 28749

Verify the process running backgriup

[root@test-ansible ~]# ps -aux | grep 28749

root 28749 0.0 0.0 72484 776 ? Ss 16:31 0:00 ssh-agent
root 28751 0.0 0.0 114292 2268 pts/8 S+ 16:31 0:00 grep --color=auto 28749

Add by using SSH-ADD

[root@test-ansible ~]# ssh-add

Enter passphrase for /root/.ssh/id_rsa:
Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)
Identity added: /root/.ssh/id_ed25519 (ansible)

Create an alias

[root@test-ansible ~]# alias ssha='eval $(ssh-agent) && ssh-add'
[root@test-ansible ~]# ssha
Agent pid 28769

Enter passphrase for /root/.ssh/id_rsa:
Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)
Identity added: /root/.ssh/id_ed25519 (ansible)

Permanently store the “alias” in bash rc profile.

[root@test-ansible ~]# vi .bashrc

## ssh agent 
alias ssha='eval $(ssh-agent) && ssh-add'
[root@test-ansible ~]# ssha
Agent pid 28769

Enter passphrase for /root/.ssh/id_rsa:
Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)
Identity added: /root/.ssh/id_ed25519 (ansible)

====Hence tested & verified in our test env====