Best way to learn keys is to have 'ssh' allow your account to login to itself without a password. Here's a new box..Hmm. Don't want to type password!
No ".ssh" folder in $HOME so create some keys. Just hit enter for all prompts..Ordinarily you'd not post the above because security. I'm going to delete '.ssh' folder and start from scratch after this. These are the rsa keys we generated..First one is our private key. Second one is the public key. Never give private key away. Keys for password-less logins are stored in this file..Now append our own key..Attempt a login..Well that didn't work like we wanted. We got a prompt, albeit not for the password. Note "known_hosts". Now that we've been added to that we can indeed login automatically..We can even run commands..It automatically logged in (to $HOME), ran "ls -l" and automatically logged back out.
We've proved it works and by doing it locally we got all the hard work out the way. All we need do in future is append the public key of another box onto "authorized_keys", do the "known_hosts" prompt the once and we're in business.A common mistake above is to not specify the name of the target file. Note I called it "z" otherwise we'd have overwritten the trixie "id_rsa.pub" with the sdu "id_rsa.pub". Now log in from sdu to complete the configuration..Now append "z" to "authorized_keys" and logout..Job done..Might as well delete "z"..Now "foo@sdu" can do anything on trixie that "foo@trixie" can do. The account names are not forced to match. you can set it up so that "fred@sdu" could do same to "jim@trixie" - just append "fred@sdu" "id_rsa.pub" key to "authorized_keys" in "jim@trixie"'s ".ssh/authorized_keys".
There are commands to help with this but I find it's best to know how to do it manually. Sometimes it goes wrong, especially with dynamic assigned ip addresses (security) and you may have to fire up an editor on one or more of those files to delete an entry.
Note that if I had configured account "foo@trixie" to be able to "sudo" without a password then "foo@sdu" would be able to gain root access on trixie and trash it. You can daisy chain these ssh commands thus my preference is to have a single trusted box which has its public key on all the other boxes: you need to use a password(*) to get onto the trusted box. The upside to using keys is you can set complex passwords.
(*) My main linux PC being an exception now I'm retired 'cos lazy.
Code:
foo@trixie:~$ ssh foo@localhostThe authenticity of host 'localhost (::1)' can't be established.ED25519 key fingerprint is SHA256:SIHneSOlue6aYGiLTIGtbl7vI3LLnC7EJen6GM+CPT8.This key is not known by any other names.Are you sure you want to continue connecting (yes/no/[fingerprint])? yPlease type 'yes', 'no' or the fingerprint: yesWarning: Permanently added 'localhost' (ED25519) to the list of known hosts.foo@localhost's password: Linux trixie 6.12.41+deb13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.12.41-1 (2025-08-12) x86_64The programs included with the Debian GNU/Linux system are free software;the exact distribution terms for each program are described in theindividual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extentpermitted by applicable law.Last login: Mon Aug 18 06:04:03 2025 from 192.168.1.14foo@trixie:~$ exitlogoutConnection to localhost closed.Code:
foo@trixie:~$ ls -lad .sshls: cannot access '.ssh': No such file or directoryCode:
foo@trixie:~$ ssh-keygen -t rsaGenerating public/private rsa key pair.Enter file in which to save the key (/home/foo/.ssh/id_rsa): Created directory '/home/foo/.ssh'.Enter passphrase for "/home/foo/.ssh/id_rsa" (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/foo/.ssh/id_rsaYour public key has been saved in /home/foo/.ssh/id_rsa.pubThe key fingerprint is:SHA256:1o/ZE79aNzHiqEJOmBXOLWN4z+SkpOMAffcizHdgp7k foo@trixieThe key's randomart image is:+---[RSA 3072]----+| || . || . + o || . . o & * || . + @ S . .. o || . O X * =oo. o|| o B + o.+.o..|| . E . o o.|| .. ... |+----[SHA256]-----+foo@trixie:~$ ls -lad .sshdrwx------ 2 foo foo 4096 Aug 26 17:52 .sshCode:
foo@trixie:~$ ls -l .sshtotal 8-rw------- 1 foo foo 2590 Aug 26 17:52 id_rsa-rw-r--r-- 1 foo foo 564 Aug 26 17:52 id_rsa.pubCode:
foo@trixie:~$ cd .sshfoo@trixie:~/.ssh$ touch authorized_keys && chmod 0600 authorized_keysfoo@trixie:~/.ssh$ ls -ltotal 8-rw------- 1 foo foo 0 Aug 26 18:02 authorized_keys-rw------- 1 foo foo 2590 Aug 26 17:52 id_rsa-rw-r--r-- 1 foo foo 564 Aug 26 17:52 id_rsa.pubCode:
foo@trixie:~/.ssh$ cat id_rsa.pub >>authorized_keys foo@trixie:~/.ssh$ ls -ltotal 12-rw------- 1 foo foo 564 Aug 26 18:04 authorized_keys-rw------- 1 foo foo 2590 Aug 26 17:52 id_rsa-rw-r--r-- 1 foo foo 564 Aug 26 17:52 id_rsa.pubCode:
foo@trixie:~/.ssh$ ssh foo@localhostThe authenticity of host 'localhost (::1)' can't be established.ED25519 key fingerprint is SHA256:SIHneSOlue6aYGiLTIGtbl7vI3LLnC7EJen6GM+CPT8.This key is not known by any other names.Are you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added 'localhost' (ED25519) to the list of known hosts.Linux trixie 6.12.41+deb13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.12.41-1 (2025-08-12) x86_64The programs included with the Debian GNU/Linux system are free software;the exact distribution terms for each program are described in theindividual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extentpermitted by applicable law.Last login: Tue Aug 26 17:48:54 2025 from ::1foo@trixie:~$ exitlogoutConnection to localhost closed.foo@trixie:~/.ssh$ ls -ltotal 20-rw------- 1 foo foo 564 Aug 26 18:04 authorized_keys-rw------- 1 foo foo 2590 Aug 26 17:52 id_rsa-rw-r--r-- 1 foo foo 564 Aug 26 17:52 id_rsa.pub-rw------- 1 foo foo 978 Aug 26 18:05 known_hosts-rw-r--r-- 1 foo foo 142 Aug 26 18:05 known_hosts.oldCode:
foo@trixie:~/.ssh$ ssh foo@localhostLinux trixie 6.12.41+deb13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.12.41-1 (2025-08-12) x86_64The programs included with the Debian GNU/Linux system are free software;the exact distribution terms for each program are described in theindividual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extentpermitted by applicable law.Last login: Tue Aug 26 18:05:57 2025 from ::1foo@trixie:~$ exitlogoutConnection to localhost closed.Code:
foo@trixie:~/.ssh$ ssh foo@localhost ls -ltotal 32drwxr-xr-x 2 foo foo 4096 Aug 18 05:34 Desktopdrwxr-xr-x 2 foo foo 4096 Aug 18 05:34 Documentsdrwxr-xr-x 2 foo foo 4096 Aug 18 05:34 Downloadsdrwxr-xr-x 2 foo foo 4096 Aug 18 05:34 Musicdrwxr-xr-x 2 foo foo 4096 Aug 18 05:34 Picturesdrwxr-xr-x 2 foo foo 4096 Aug 18 05:34 Publicdrwxr-xr-x 2 foo foo 4096 Aug 18 05:34 Templatesdrwxr-xr-x 2 foo foo 4096 Aug 18 05:34 Videosfoo@trixie:~/.ssh$We've proved it works and by doing it locally we got all the hard work out the way. All we need do in future is append the public key of another box onto "authorized_keys", do the "known_hosts" prompt the once and we're in business.
Code:
foo@sdu:~$ scp ~/.ssh/id_rsa.pub foo@trixie:~/.ssh/zThe authenticity of host 'trixie (192.168.1.51)' can't be established.ED25519 key fingerprint is SHA256:SIHneSOlue6aYGiLTIGtbl7vI3LLnC7EJen6GM+CPT8.This key is not known by any other namesAre you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added 'trixie' (ED25519) to the list of known hosts.foo@trixie's password: id_rsa.pub 100% 561 1.4MB/s 00:00Code:
foo@sdu:~$ ssh foo@trixiefoo@trixie's password: Linux trixie 6.12.41+deb13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.12.41-1 (2025-08-12) x86_64The programs included with the Debian GNU/Linux system are free software;the exact distribution terms for each program are described in theindividual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extentpermitted by applicable law.Last login: Tue Aug 26 18:08:23 2025 from ::1foo@trixie:~$Code:
foo@trixie:~$ cd .sshfoo@trixie:~/.ssh$ cat z >>authorized_keys foo@trixie:~/.ssh$ ls -ltotal 24-rw------- 1 foo foo 1125 Aug 26 18:20 authorized_keys-rw------- 1 foo foo 2590 Aug 26 17:52 id_rsa-rw-r--r-- 1 foo foo 564 Aug 26 17:52 id_rsa.pub-rw------- 1 foo foo 978 Aug 26 18:05 known_hosts-rw-r--r-- 1 foo foo 142 Aug 26 18:05 known_hosts.old-rw-r--r-- 1 foo foo 561 Aug 26 18:15 zfoo@trixie:~/.ssh$ exitlogoutConnection to trixie closed.foo@sdu:~$Code:
foo@sdu:~$ ssh foo@trixieLinux trixie 6.12.41+deb13-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.12.41-1 (2025-08-12) x86_64The programs included with the Debian GNU/Linux system are free software;the exact distribution terms for each program are described in theindividual files in /usr/share/doc/*/copyright.Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extentpermitted by applicable law.Last login: Tue Aug 26 18:18:59 2025 from 192.168.1.14foo@trixie:~$ exitlogoutConnection to trixie closed.foo@sdu:~$Code:
foo@sdu:~$ ssh foo@trixie rm -v .ssh/zremoved '.ssh/z'foo@sdu:~$ ssh foo@trixie ls -l .sshtotal 20-rw------- 1 foo foo 1125 Aug 26 18:20 authorized_keys-rw------- 1 foo foo 2590 Aug 26 17:52 id_rsa-rw-r--r-- 1 foo foo 564 Aug 26 17:52 id_rsa.pub-rw------- 1 foo foo 978 Aug 26 18:05 known_hosts-rw-r--r-- 1 foo foo 142 Aug 26 18:05 known_hosts.oldfoo@sdu:~$There are commands to help with this but I find it's best to know how to do it manually. Sometimes it goes wrong, especially with dynamic assigned ip addresses (security) and you may have to fire up an editor on one or more of those files to delete an entry.
Note that if I had configured account "foo@trixie" to be able to "sudo" without a password then "foo@sdu" would be able to gain root access on trixie and trash it. You can daisy chain these ssh commands thus my preference is to have a single trusted box which has its public key on all the other boxes: you need to use a password(*) to get onto the trusted box. The upside to using keys is you can set complex passwords.
(*) My main linux PC being an exception now I'm retired 'cos lazy.
Statistics: Posted by swampdog — Tue Aug 26, 2025 5:47 pm