Short Guide to (Finding, Sharing, etc.) SSH Keys on Mac OS X

Nov 23, 2015

 

A short guide to SSH keys and Mac OS X: How to create, find, share and add SSH Keys (and deal with related SSH errors and warnings) on Mac OS X.

 

 

SSH keys allow for more secure connections between trusted computers without using passwords. If for example you frequently use the Mac Terminal application to connect to a server, switching to SSH keys will allow you to skip the passwords and while also enjoying a more secure connection.

An SSH key consists of two files. The first is a private key, which should never be shared with anyone. The second is a public key, which you can (and must) share with the machines you want to connect to. It is the ID by which they will recognize your machine. If you are familiar with cryptocurrencies like Bitcoin it is a little like the public and private keys – one you share and one you don't.

This is intended for people that aren't fully familiar with SSH keys (and don't really want to be) but are asked by a colleague or server admin to create/generate/find share an SSH key, or who encounter an error.

We'll talk about two machines. The first is the machine you are working on (local machine) and the other is the one that you are trying to access (remote machine).

 


Find Existing Public SSH Key on Yore Local Mac OS X Machine

Let's say your server admin is trying to set you up with ssh access to a remote machine. They're likely to say something like "send me the public ssh key for your laptop". Rather than have to ask them what that means just try this.

Open the terminal application (Applications > Utilities > Terminal). You'll see a prompt, which usually looks something like this:

 

John-Smith-MacBook-Pro:~ john$

 

The first part is your computer name, the second part is your user name.

Now paste this line....

 

pbcopy < ~/.ssh/id_rsa.pub

 

...and hit Enter/Return.

One of two things will happen. If you already have a public SSH key on the machine it will have been pasted to the clipboard, and you can now paste it anywhere (including in the email back to the admin that requested it).

It's a little confusing because it won't look like anything happened – don't expect a message saying that something happened. If you don't see an error key that means it worked.

The other potential outcome is an error message, which will probably
look like this:

 

-bash: /Users/mark/.ssh/id_rsa.pub: No such file or directory

 

This just means that you don't yet have a public key. Proceed to the next step.

 

Creating a Public SSH Key

If you tried the step above and got the following error:

 

-bash: /Users/mark/.ssh/id_rsa.pub: No such file or directory

 

... it just means SSH keys have not been generated on your machine yet. You can fix that them by now pasting this line into the Terminal App ...

 

ssh-keygen -t rsa -P '' -f ~/.ssh/id_rsa

 

... and hit Return/Enter.

You should now see something like this:


Created directory '/Users/john/.ssh'.
Your identification has been saved in /Users/john/.ssh/id_rsa.
Your public key has been saved in /Users/john/.ssh/id_rsa.pub.
The key fingerprint is:
7c:80:43:e3:7f:x5:37:98:84:fc:79:b3:b9:e2:72:g4 [email protected] John-Smith-MacBook-Pro.local
The key's randomart image is:
+--[ RSA 2048]----+
|    .+           |
|  . .=  oG.      |
| . . .=. =       |
|  ooo.oo.oo      |
| .=.+ .o . S     |
| o.o. .          |
| o .             |
| .               |
|                 |
+-----------------+

 

It looks pretty intimidating but it just means that the SSH keys were created and stored in the place we looked at in step 1. The "rsa" in the command told the machine to generate an RSA key, which we can confirm by looking at the first line (+--[ RSA 2048]----+). The 2048 is the key length, with 2048 being as long as is generally used and considered secure. All good.

Don't send what you see to the admin that requested the SSH key. Instead enter the line from step 1...

 

pbcopy < ~/.ssh/id_rsa.pub

 

... which will put your new public SSH key into the clipboard. Just paste it where you need it.

 


Add Your Public SSH Key To Another Machine

Let's say you are trying to add the SSH key from your local machine to a remote machine (to get secure access without a password) and don't have an admin or someone else trying to help you.

Again open Terminal on the local machine and enter an appropriate version of the following:

 

cat ~/.ssh/id_rsa.pub | ssh [email protected] 192.168.2.16 "mkdir ~/.ssh; cat >> ~/.ssh/authorized_keys"

 

… where "john" is replaced by your username on the remote machine, and 192.168.2.16 reflects the remote machine name or IP address.

Hit return/enter and then paste the following:

 

cat ~/.ssh/id_rsa.pub | ssh [email protected] 192.168.2.16"mkdir ~/.ssh; cat >> ~/.ssh/authorized_keys"

 

This should add the public key from your local machine to the remote machine, allowing you secure access without passwords.

 


Delete A Bad SSH Key

As you start using SSH keys you may encounter an error message that looks like this:


@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is 7c:80:43:e3:7f:x5:37:98:84:fc:79:b3:b9:e2:72:g4.
Please contact your system administrator.
Add correct host key in /Users/john/.ssh/known_hosts to get rid of this message.
Offending key in /Users/john/.ssh/known_hosts:3
RSA host key for (xyz) has changed and you have requested strict checking.
Host key verification failed.

 

If you get this message it means that you are the victim of a man-in-the-middle exploit or (more likely) that the host has a new key and different fingerprint. To protect you Mac OS X SSH client will not let you connect.

To get rid of this error and complete the connection you first need to delete the old key. Again in the terminal app (local) paste the following:

 

open .ssh

 

This will open the hidden .ssh folder in the finder. The error message explains that you are looking for the file called "known_hosts" so double click that and it will open in Text Edit (or whatever text editor you have assigned as the default).

The error message is actually very helpful because it says which key is causing the problems – in this case the number 3 in the "Offending key in /Users/john/.ssh/known_hosts:3" part of the error message means that it is the third key in the list.

The tricky part is that each key is very long, typically wrapping into several lines. Look for (in this case) the third ip address (or system name) in the list. Triple lick that and the entire line should be selected, then hit the delete button and save the file.

 


Confirm SSH Key After Authenticity Message

You might also see a message like this:


~$ ssh (server-name)
The authenticity of host 'server-name (server ip)' can't be established.
RSA key fingerprint is 7c:80:43:e3:7f:x5:37:98:84:fc:79:b3:b9:e2:72:g4.
Are you sure you want to continue connecting (yes/no)?

 

You can just type "yes", hit enter and continue on and probably be safe but it's advisable to confirm the key, assuming you have access to the remote machine.

Connect to the remote machine using Apple Remote Desktop. Open the Terminal application on that machine and enter the following...

 

$ ssh-keygen -l -f /etc/ssh_host_rsa_key.pub

 

... to reveal the fingerprint for that machine. Compare it to the fingerprint in the error message on the local machine. If they match you are OK, and can safely enter "yes" in the Terminal application on the local machine.




Related Content

How To Migrate Google Authenticator To A New iPhone

Instructions on how to move Google Authenticator to a new iPhone so you don't lose access to accounts with two-factor authentication enabled.

Why Have Security Questions After Password Authentication?

Asking security questions after password authentication is not just pointless, it actually makes things less secure.

Apple Remote Desktop: Fix "Authentication failed to" Error

Using ARD (Apple Remote Desktop) and getting an "Authentication failed to" error in Mac OS X? There is a very easy fix for Sierra, El Capitan & Yosemite.

How To Securely Hide (and Encrypt) Files On Mac OS X

How to hide/secure files on your Mac: An easy approach to protecting your data by securing, hiding, and encrypting selected files and folders in Mac OS X.

Security Through Obscurity On Mac OS X – Better Solutions

A look at how security through obscurity (hiding files) is doomed to fail in Mac OS X, plus a look at some easy ways to truly secure files on your Mac.

Showing Hidden Files vs Hiding Regular Files in Mac OS X

They might seem like flip sides of the same coin but the techniques used to show hidden files on a Mac are not the best solution for securely hiding files.

Make Alerts Like "gamed wants to connect to..." Go Away

Instructions for how to disable OS X service you don't need to cut down on Little Snitch alerts like "gamed wants to connect to static.gc.apple"

A Better Way To Show/Hide Hidden Files on Mac OS X

There are many ways to show/hide hidden files on Mac OS X Mavericks, Yosemite & El Capitan but this is likely the best approach to making switching easy.

What Does Incognito/Private Mode Really Mean?

The incognito or private mode in your web browser can offer you some additional privacy but not as much as you may think, and you still need to be careful.

"Your Apple Device has been locked..." Another Scam

Does "http://www.alerts-safari.info" say "Your Apple Device has been locked, due to security reasons"? Don't panic, it's not – just don't call the number!

Category List


Tag List


Tag Cloud



Archive