How to connect two remote computers with ssh

I found a pretty good amount of tutorials about connecting two computers via ssh, but I just don't get the key point I guess. (I tried for exemple this one or this one)

Let say I am userA with ipv4 xxx.xxx.x.xx and I want to have a ssh connection with my friend (in another country) userB with ipv4 yyy.yyy.y.yy

So, I generate a ssh key, and I have a nice ./ssh/id_rsa and ./ssh/id_rsa.pub and now I am suppose to copy it on my friend's computer ?

But, as one could suspect,

ssh-copy-id -i ~/.ssh/id_rsa.pub [email protected]

is not working (how could it, since we are not bounded yet ?)

Does userB has to copy this file manually into his own .ssh file ?

And then on my computer

ssh [email protected]

will work directly ? (which is highly unrealistic, I think...)

Sorry to be that dumb, but it looks like to me that in the tutorial, people are dealing with the same computer...

Solution 1:

So, I generate a ssh key, and I have a nice ./ssh/id_rsa and ./ssh/id_rsa.pub and now I am suppose to copy it on my friend's computer ?

Yes, specifically, you're supposed to copy your ~/.ssh/id_rsa.pub file (the public key) to the remote system's ~/.ssh/authorized_keys file.

(Although, you really ought to have your own user account on the target machine, instead of sharing your friend's "userB" account.)

[ssh-copy-id] is not working (how could it, since we are not bounded yet ?)

Normally, it would work by entering a password to log in to the remote system. (SSH uses the same "system" accounts and passwords as local logins do.)

The thing about SSH here is that it allows the client to choose from several login methods – it's not actually only keypair-based. (Sort of like how a website can allow you to log in with password, log in with Google, log in with USB token, etc.)

Of course, if the remote system already has password-based logins disabled (which has become somewhat of a necessity nowadays), then indeed ssh-copy-id cannot work out of nothing, and you will need to copy your public key to the server's "authorized_keys" file in some other way.

Fortunately, the public key is just a long line of text, so you can paste it via email or Discord or whatever else. (And while RSA keys are long, ssh-keygen -t ed25519 will produce a much shorter id_ed25519.pub which can even be written down on paper in a pinch.)

(Though even in those situations, ssh-copy-id can still remain technically useful if you already have one keypair working, and want to use it to enroll another. A third alternative would be Kerberos-based logins, mostly found in corporate/hobbyist environments.)

And then on my computer ssh [email protected] will work directly ? (which is highly unrealistic, I think...)

Specifically, the SSH part would work, yes.

However, note that SSH doesn't magically go through NATs, and does not automatically set up "port forwarding" for you, so if that's necessary to access your friend's home computer then it'll need to be done separately. (SSH uses TCP port 22.) Similarly, if there's a firewall, it'll need a rule to allow SSH.

So that needs to be dealt with before ssh y.y.y.y will work.

(Most SSH tutorials don't cover home NAT because it's a very generic thing and not strictly part of SSH setup. It's just kinda assumed that if someone wants to allow connections to home network via IPv4, then they already know what port-forwarding is and how it needs to be configured – there is no difference between doing it for SSH or Minecraft or BitTorrent or whatever.

Also, many SSH tutorials are aimed more at developers and generally people who want to connect to a VPS which has its own public IPv4 address. That's slightly different from you trying to connect to a friend's PC.)

Solution 2:

For the public key authentication to work, your public key (id_rsa.pub) must be appended to ~/.ssh/authorized_keys for the target user. How you're going to get it there is none of SSH's business - you have to figure it out yourself. You can use any medium you wish, as long as it guarantees integrity (ie. recipient can confirm that what they have received is what you have sent). It doesn't have to be confidential, because it's your public key. The private key (id_rsa) stays on your computer.

What's the point of ssh-copy-id then? There are two use cases:

1. Password authentication is enabled and you want to enable public key authentication. In this case you'll have to enter the password to connect to host B and ssh-copy-id will append the public key to authorized_hosts.

2. Public key authentication is already set up, but you want to add another key, for example using stronger or different cryptography. In particular you may want to add a key that doesn't belong to you or your current host. In this case you'll want to specify the keyfile with the -i option. (The default is to add all keys provided by ssh-add -L or id_rsa.pub if there are none.)

Why use public key authentication if you may already have password authentication set up? Because it's impossible to guess and doesn't require user interaction.