I noticed some people were typing a lot just to ssh. This can be a pain, so for those who don't already know, here's how you use SSH fast and effectively. These instructions primarily apply to *nix systems. Specifically, I saw Angie was typing more than she needed and I offered to email helpful instructions.
In your home directory, there will be a .ssh directory. This directory is where most of our magic will happen.
If you don't have one, go to your home directory and make the directory. Go ahead and cd into it.
[toulouse@myhomecomputer:~]% cd ~
[toulouse@myhomecomputer:~]% mkdir .ssh
[toulouse@myhomecomputer:~]% cd ~/.ssh
When you run ssh, it looks in your ~/.ssh directory for a config file. If you don't have one already (you probably don't), make the file:
[toulouse@myhomecomputer:~/.ssh]% touch config
Remember, you're in your ~/.ssh directory; make the file there. Use your favorite text editor and add the following:
Host soda
User PUTYOURUSERNAMEHERE
HostName soda.example.edu
ForwardAgent yes
Save. Exit. Let's try it out!
[toulouse@myhomecomputer:~]% ssh soda
PUTYOURUSERNAMEHERE@soda.example.edu's password:
Huzzah, now you don't have to waste all that effort typing ssh PUTYOURUSERNAMEHERE@soda.example.edu any more!
But wait, you say, can't I just make an alias for my shell? Well, you certainly can! But then you wouldn't be able to do this:
[toulouse@myhomecomputer:~]% scp horse_porn_bestiality.avi soda:public_html/
Yes, it works! You can scp all the horse po- all the files you want so much more concisely!
Public Key Authentication (PKA) is awesome. Here's how it works, with much handwaving applied. You make a public key and a private key. Your computer has the private key, and the server has the public key. The server reads the public key and figures out a question to your computer. Your private key creates an answer, and that counts as your password if your answer is correct. Your private key is never actually sent over the wire, so it's safe. That line up there (ForwardAgent yes) basically lets the server you logged in to re-ask (to proxy) that question after you've logged in, if you want to connect to yet another server. Note that your private key is actually never sent anywhere, so would-be hackers can't intercept the file!
Anyways, if you just glossed over that, the deal is that PKA is much more convenient than entering in your password. But it's also more secure: if you log in to a server without it, you have to type your password. If it's been hacked, you just gave the hackers your password. If you used PKA then all they have is some useless public key. Especially if you put a passphrase on it (and please always do this) - you're pretty darn safe. By the way - please, don't keep your private key on computers that you don't trust. They're basically password files (albeit password files protected by password).
tl;dr: You should use Public Key Authentication. You will be safer. You can also save the passphrase locally, meaning you can have a passwordless login that's as secure as your own machine, or if you opt not to save the passphrase, you only have to do it once until you log out of your computer.
To generate your key pair, just type in the shown command:
[toulouse@myhomecomputer:~]% ssh-keygen -t rsa -C "Andrew Toulouse's Key"
Generating public/private rsa key pair.
Enter file in which to save the key (/home/toulouse/.ssh/id_rsa):
Enter passphrase (empty for no passphrase): *******
Enter same passphrase again: *******
Your identification has been saved in /home/toulouse/.ssh/id_rsa.
Your public key has been saved in /home/toulouse/.ssh/id_rsa.pub.
Change the part after the -C in the quotes; this will be the "title" of your key, so you can recognize it when it's used. The default file ssh-keygen picks is one that ssh automatically looks for, so leave it as-is unless you know what you're doing (or want multiple keys - man ssh_config to learn more!).
Great, now that you have a key, you can use it to log in. On the server, make a ~/.ssh folder if there isn't one already, then just copy and paste the contents of your public key (by default, ~/.ssh/id_rsa.pub on your computer) into a file (make it if you have to) called authorized_keys in your ~/.ssh directory. If it already exists, just put it on a line by itself somewhere in the file.
If you're lazy like me, you can this if you don't have any other keys (you won't unless you've already done something like this):
[toulouse@myhomecomputer:~]% ssh soda "mkdir -p .ssh"
[toulouse@myhomecomputer:~]% ssh .ssh/id_rsa.pub soda:.ssh/authorized_keys
The first command will make the .ssh directory if it doesn't already exist, and the second will copy your id_rsa.pub on to the server and rename it to authorized_keys.
Now you should be home free. Try it out:
[toulouse@myhomecomputer:~]% ssh soda
[toulouse@soda:~]%
Or, if you put your key in some weird place and it can't find it:
[toulouse@myhomecomputer:~]% ssh-add path/to/location/of/key.pub
[toulouse@myhomecomputer:~]% ssh soda
[toulouse@soda:~]%
Done! It's really quite convenient. These few minutes of setup will save you a great deal of time later!
This is pretty foolproof, but sometimes people have weird systems (typically a strange umask). The source of problems, if there are any, is going to be file permissions. So if you're having problems, double-check with the following:
.sshdirectory should be 700 (rwx --- ---)- Public key, i.e.
id_rsa.puborsomekeyname.pub, should be 644 (rw- r-- r--) - Private key, i.e.
id_rsaorsomekeynameshould be 600 (rw- --- ---)
If that's still a problem, try logging in with ssh, but add -v, -vv, or -vvv - depending on how much debugging you want to see. That way, you can find out if it's not finding your key, or if it is finding it, but for some reason is rejecting it, or never even asking you for it anyway.
Now, you can shorten the longusername@longhostname to something simpler, like aliasname, whenever you want to log in remotely or transfer files with SCP. You can also do away with password login, and keep your password secure to boot! If you want to know more, man ssh_config will tell you more about your options, or stay tuned and we'll explore a few below.
Ask your questions here and I'll add them in!
WIP