Secure SHell - remote command line login to systems with network encryption, using passwords and / or SSH public + private asymmetric key cryptography.
- Generate an SSH Key
- Compare SSH Key Fingerprint
- SSH Public Key and Authorized Keys
- SSH Login using only SSH Key
- Use SSH Agent
- SSH Config
- X Forwarding
- Legacy SSH Servers
The comment makes your public key distinguishable
when it's copied to ~/.ssh/authorized_keys on servers or Cloud systems.
ssh-keygen -f ~/.ssh/"$filename" -t rsa -b 4096 -C "$comment"It'll prompt you for a passphrase to protect the private key with. If you add a passphrase, use SSH Agent as documented further down to avoid having to type it every time you use the SSH key.
Use this to compare the keys stored on some public service like Bitbucket.
ssh-keygen -l -f ~/.ssh/"$filename"To print it in MD5 format to compare to an online platform like GitLab:
ssh-keygen -lf ~/.ssh/id_rsa.pub -E md5Copy the .pub public key file contents generated from the command above in ~/.ssh/"$filename.pub" to
~/ssh/authorized_keys to any server you want to SSH to without a password.
To enforce logging in using only the public key and error out otherwise rather than fall back to a password prompt.
ssh -o PreferredAuthentications=publickey ...Useful to stop automated scripts or CI/CD from getting stuck on a password prompt. It's better to error out immediately for faster debugging and also not wasting chargeable CI/CD build minutes.
Password protect your SSH key on disk and then load it into SSH Agent once at startup.
Start ssh-agent and save the output to a file to import into other shells:
ssh-agent | tee ~/.ssh-agent.envIn each shell:
. ~/.ssh-agent.envAdd your SSH key to the agent (will prompt you this one time for passphrase if the private key is protected):
ssh-add ~/.ssh/id_rsaList loaded keys:
ssh-add -lMake it fast and easy
to connect to SSH servers which have long names or only IP addresses without having to remember them,
by adding a block to your ~/.ssh/config:
Host myhost
TCPKeepAlive yes
ServerAliveInterval 300
HostName x.x.x.x
IdentityFile ~/.ssh/id_rsa
User hari
LogLevel QUIET # suppress the motd, similar to -q switchYou can now ssh myhost without DNS, it'll replace the hostname with HostName field's value,
in this case the IP x.x.x.x.
For AWS EC2 VMs, specify User ec2-user and the key pair generated at creation time.
To use different user accounts and keys for different servers:
Host myhost
TCPKeepAlive yes
ServerAliveInterval 300
HostName x.x.x.x
IdentityFile ~/.ssh/ec2-user.pem
User ec2-userssh -X hari@"$HOST"sudo su
cp .Xauthority /root
virt-managerIf you see an error like this when trying to SSH to an older system running an older version of SSH:
Unable to negotiate with 192.168.1.46 port 22: no matching host key type found. Their offer: ssh-rsa,ssh-dss
add the -oHostKeyAlgorithms=+ssh-rsa option to the SSH command line to accept the older algo:
ssh -o HostKeyAlgorithms=+ssh-rsa,ssh-dss ...If you're using an SSH key you'll get prompted for a password when your SSH key fails to authenticate because you need
this switch -o PubkeyAcceptedAlgorithms=+ssh-rsa,ssh-dss:
ssh -o HostKeyAlgorithms=+ssh-rsa,ssh-dss -o PubkeyAcceptedAlgorithms=+ssh-rsa,ssh-dss ...If using rsync over ssh then use the -e switch to pass this option to ssh:
rsync -av -e 'ssh -oHostKeyAlgorithms=+ssh-rsa,ssh-dss -oPubkeyAcceptedAlgorithms=+ssh-rsa,ssh-dss' ...