ServiceNow Service Management

Question

How does one Setup SSH keys on a Mac to make for easier and more secure SSH sessions?

Overview

There are numerous methods for dealing with SSH keys to make the use of SSH easier and more secure. This document only covers one method. SSH keys allow authentication without sending a password over the network; making it impossible for anyone eavesdropping on the network to see or crack your password. SSH keys nearly eliminates the risk posed by brute-force password attacks by reducing the chances of an attacker guessing any proper credentials.

This document will show you how to create an SSH key pair. The public key can then be distributed to any number of machines. One can repeat the process for different sets of machines, for example, a key pair for different levels of security; for different departments; home and work; and so on.

In the examples below, the remote machine's name is called "remotehost". The user's account name is "accountname".

Answer

NOTE: Use A Great Passphrase

It is important in this process to create a superb passphrase, and there’s no excuse not to. You won’t have to type it every time you log in, if you add it to your Mac Keychain (see below), so make a great passphrase.

Also, your login passphrase for the desktop where your SSH private key is stored should be excellent. CS suggests using the campus Kerberos system to authenticate your desktops.

If for some reason this passphrase becomes lost to you, you can create a new key, following these instructions again. If you do that, remember to remove your old key from the remote machines (by deleting the line it is on in the ~/.ssh/authorized_keys file on the remote machine).

Generate a Key

On the local machine (a Mac), make a key for the remote machine:

$ ssh-keygen -t rsa -b 4096 -f ~/.ssh/accountname_id_dsa

This produces two files:
accountname_id_dsa.pub
accountname_id_dsa

Remote Machine Setup

Make the .ssh directory on the remote machine (you will need to enter your password), if it doesn’t already exist.

$ ssh remotehost "mkdir ~/.ssh && chmod 700 ~/.ssh && touch ~/.ssh/authorized_keys && chmod 600 ~/.ssh/authorized_keys"

If you get errors, an alternate method is to SSH in to the remote machine and do the mkdir and chmod 700:

$ ssh accountname@remotehost
remote $ mkdir ~/.ssh
remote $ chmod 700 ~/.ssh
remote $ touch ~/.ssh/authorized_keys
remote $ chmod 600 ~/.ssh/authorized_keys

Note the permission restrictions on the .ssh directory and files within. This is to help protect your key. OpenSSH and other SSH software will not allow you to use improperly protected files and directories.

Put Public Key on Remote Machine

Add the key you made to the remote machine's authorized_keys file (note, the file on the remote machine might be authorized_keys2), using this command:

$ cat accountname_id_dsa.pub | ssh remotehost ' sh -c "cat - >>~/.ssh/authorized_keys"

Add remote host to your SSH config file

If you want, you could use this particular key for every machine in a domain (such as cs.ucdavis.edu) with these configuration lines in your ~/.ssh/config file:

Host *.cs.ucdavis.edu remotehost1 remotehost2 remotehost3
IdentitiesOnly yes
PubkeyAuthentication yes
IdentityFile ~/.ssh/accountname_id_dsa

Note the “remotehost1 remotehost2...”. You can add the short host name into the config file this way, then you don’t have to type the fully qualified domain name. For instance:

$ ssh hostname.cs.ucdavis.edu

Could also be typed:

$ ssh hostname

Using SSH and Saving the Password in Mac Keychain

Remember, if you are going to store passphrases in your Mac Keychain, your keychain/desktop passphrase should be a very good passphrase!

Now, you should be able to log into the remote host with:

$ ssh accountname@remotehost

A pop-up box will ask you for the SSH key password for accountname_id_dsa. Type in the password you used. You can click "Remember password in my keychain", this will remember the password for you, by putting it in your Mac keychain. Then, you won’t have to type the password every time you ssh to that machine.