SSH keys allow for more secure connections between trusted computers without using passwords. If for example you frequently use the Mac Terminal application to connect to a server, switching to SSH keys will allow you to skip the passwords and while also enjoying a more secure connection.
An SSH key consists of two files. The first is a private key, which should never be shared with anyone. The second is a public key, which you can (and must) share with the machines you want to connect to. It is the ID by which they will recognize your machine. If you are familiar with cryptocurrencies like Bitcoin it is a little like the public and private keys – one you share and one you don't.
This is intended for people that aren't fully familiar with SSH keys (and don't really want to be) but are asked by a colleague or server admin to create/generate/find share an SSH key, or who encounter an error.
We'll talk about two machines. The first is the machine you are working on (local machine) and the other is the one that you are trying to access (remote machine).
Let's say your server admin is trying to set you up with ssh access to a remote machine. They're likely to say something like "send me the public ssh key for your laptop". Rather than have to ask them what that means just try this.
Open the terminal application (Applications > Utilities > Terminal). You'll see a prompt, which usually looks something like this:
John-Smith-MacBook-Pro:~ john$
The first part is your computer name, the second part is your user name.
Now paste this line....
pbcopy < ~/.ssh/id_rsa.pub
...and hit Enter/Return.
One of two things will happen. If you already have a public SSH key on the machine it will have been pasted to the clipboard, and you can now paste it anywhere (including in the email back to the admin that requested it).
It's a little confusing because it won't look like anything happened – don't expect a message saying that something happened. If you don't see an error key that means it worked.
The other potential outcome is an error message, which will probably
look like this:
-bash: /Users/mark/.ssh/id_rsa.pub: No such file or directory
This just means that you don't yet have a public key. Proceed to the next step.
If you tried the step above and got the following error:
-bash: /Users/mark/.ssh/id_rsa.pub: No such file or directory
... it just means SSH keys have not been generated on your machine yet. You can fix that them by now pasting this line into the Terminal App ...
ssh-keygen -t rsa -P '' -f ~/.ssh/id_rsa
... and hit Return/Enter.
You should now see something like this:
Created directory '/Users/john/.ssh'.
Your identification has been saved in /Users/john/.ssh/id_rsa.
Your public key has been saved in /Users/john/.ssh/id_rsa.pub.
The key fingerprint is:
7c:80:43:e3:7f:x5:37:98:84:fc:79:b3:b9:e2:72:g4 john@ John-Smith-MacBook-Pro.local
The key's randomart image is:
+--[ RSA 2048]----+
| .+ |
| . .= oG. |
| . . .=. = |
| ooo.oo.oo |
| .=.+ .o . S |
| o.o. . |
| o . |
| . |
| |
+-----------------+
It looks pretty intimidating but it just means that the SSH keys were created and stored in the place we looked at in step 1. The "rsa" in the command told the machine to generate an RSA key, which we can confirm by looking at the first line (+--[ RSA 2048]----+). The 2048 is the key length, with 2048 being as long as is generally used and considered secure. All good.
Don't send what you see to the admin that requested the SSH key. Instead enter the line from step 1...
pbcopy < ~/.ssh/id_rsa.pub
... which will put your new public SSH key into the clipboard. Just paste it where you need it.
Let's say you are trying to add the SSH key from your local machine to a remote machine (to get secure access without a password) and don't have an admin or someone else trying to help you.
Again open Terminal on the local machine and enter an appropriate version of the following:
cat ~/.ssh/id_rsa.pub | ssh john@ 192.168.2.16 "mkdir ~/.ssh; cat >> ~/.ssh/authorized_keys"
… where "john" is replaced by your username on the remote machine, and 192.168.2.16 reflects the remote machine name or IP address.
Hit return/enter and then paste the following:
cat ~/.ssh/id_rsa.pub | ssh john@ 192.168.2.16"mkdir ~/.ssh; cat >> ~/.ssh/authorized_keys"
This should add the public key from your local machine to the remote machine, allowing you secure access without passwords.
As you start using SSH keys you may encounter an error message that looks like this:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is 7c:80:43:e3:7f:x5:37:98:84:fc:79:b3:b9:e2:72:g4.
Please contact your system administrator.
Add correct host key in /Users/john/.ssh/known_hosts to get rid of this message.
Offending key in /Users/john/.ssh/known_hosts:3
RSA host key for (xyz) has changed and you have requested strict checking.
Host key verification failed.
If you get this message it means that you are the victim of a man-in-the-middle exploit or (more likely) that the host has a new key and different fingerprint. To protect you Mac OS X SSH client will not let you connect.
To get rid of this error and complete the connection you first need to delete the old key. Again in the terminal app (local) paste the following:
open .ssh
This will open the hidden .ssh folder in the finder. The error message explains that you are looking for the file called "known_hosts" so double click that and it will open in Text Edit (or whatever text editor you have assigned as the default).
The error message is actually very helpful because it says which key is causing the problems – in this case the number 3 in the "Offending key in /Users/john/.ssh/known_hosts:3" part of the error message means that it is the third key in the list.
The tricky part is that each key is very long, typically wrapping into several lines. Look for (in this case) the third ip address (or system name) in the list. Triple lick that and the entire line should be selected, then hit the delete button and save the file.
You might also see a message like this:
~$ ssh (server-name)
The authenticity of host 'server-name (server ip)' can't be established.
RSA key fingerprint is 7c:80:43:e3:7f:x5:37:98:84:fc:79:b3:b9:e2:72:g4.
Are you sure you want to continue connecting (yes/no)?
You can just type "yes", hit enter and continue on and probably be safe but it's advisable to confirm the key, assuming you have access to the remote machine.
Connect to the remote machine using Apple Remote Desktop. Open the Terminal application on that machine and enter the following...
$ ssh-keygen -l -f /etc/ssh_host_rsa_key.pub
... to reveal the fingerprint for that machine. Compare it to the fingerprint in the error message on the local machine. If they match you are OK, and can safely enter "yes" in the Terminal application on the local machine.
