How are public keys "sent" to servers, and how are private keys "used" for SSH?
Solution 1:
ssh-keygen
generates both the public and private keys, which initially reside only locally. Giving the public key to another host is something that the user would need to manually do, either by sending it to someone responsible for server B, or if you have an account with a password, you could log in and put it there yourself. In order to allow passwordless login to server B, you would need to add your public key to the ~/.ssh/authorized_keys file on server B (one public key per line, there can be any number of keys in this file). There is a linux command ssh-copy-id
that will copy the ID for you and put it in the file.
By default, ssh will use the file ~/.ssh/id_XXX as your private key. XXX can be rsa, dsa, or any protocol for which a key was generated. IIRC, dsa is old and shouldn't be used. If you want to use a different private key, you can specify it in your ssh command using -i
. As long as the private key being used matches a public key on the remote machine (in the authorized_keys file for the user's account which you are logging in to), then you will not need to supply a password.
Solution 2:
There are two Linux machines, A and B. Scripts running on A need to be able to SSH into B. So A generates a public key (probably an ssh-keygen-generated id_rsa.pub), and then uses its respective private key (again, probably id_rsa) to make that SSH connection.
If anything I’ve said above is incorrect or misled, please begin by correcting me!
Assuming I’m more or less on target:
yeah
but B needs A's public key to be listed in B's authorized_keys file in order for A to be able to connect to B
also you can delete id_rsa.pub and ssh to B and it will still work, because the public key is generated fresh with each ssh connection and not stored in any id_rsa.pub
How does A “give” B its public key (id_rsa.pub)? Does this have to be a manual process, or can it be automated? If manual, what’s the process? If automated, what’s the command?
manual- something like
from A-
cat ~/.ssh/id_rsa.pub | ssh USER@HOST "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys"
or even more manually, to break the command down
A$ cat id_rsa.pub | ssh user@host 'cat>~/a.a'
then on B, make sure ~/.ssh exists then do cat a.a >> ~/.ssh/authorized_keys
and you can cat authorized_keys of B before and after to make sure the key is listed.
Or you could email id_rsa.pub to an email account, then from B, B can check the email and append the contents of id_rsa.pub into his authorized_keys file
automatically
The ssh-copy-id command
You need to be able to ssh in, so you need password access
Instead of doing ssh user@host you do ssh-copy-id user@host and you are prompted for a password, you enter it, you're in, it will copy the public key over. And next time you do ssh user@host it will use the key.
When B "gets" this public key, where does it go or get stored?
B's ~/.ssh/authorized_keys
When initiating the SSH connection to B, how does A “use” its private key (id_rsa) as part of that connection?
well, I don't know much about that, off the top of my head, but whatever is encrypted with one key can be decrypted with the other key, and identifying yourself is a bit different to sending data.. and there may be something about a temporary key too.