Miakoda 
I have what I fear may be a stupid #Linux question...
If I set up an ssh key, upload it to the server, and then disable password login...
When I want to ssh from another machine? How would I then upload that key to the server?
Apr 9 at 12:38pmWeb
Show threadAjit AnanthadevanApr 9
@hellomiakoda the ssh key are in pairs.. the public key is installed on the server.
the private key remains on your first desktop. just move this private key, to the other desktop..
Show threadManu is playing 🎮️Apr 9
@hellomiakoda you take the private key with you to the other machine, like on a USB stick
Show threadLain Values Goose - 71Apr 9

@hellomiakoda each machine you connect from will need that private key, then ssh user@host -i /path/to/key.

Or at least thats how ive seen it done before, there might be better solutions

Show threadV'gerApr 9
@hellomiakoda Copy the public key from machine B to machine A and upload it from there.
Show threadJuan R. LoaizaApr 9
@hellomiakoda As others pointed out, you can use the same private key in both machines A and B, or you can generate a new key pair for machine B, and use machine A to ssh into the target and add B's public key. Then you can use B's private key to ssh into the target and keep separate keys for A and B.
Show threadMiakoda Apr 9
@juanrloaiza Ok, so that does work the way I'd thought.
Then... is there good reason not to sync ~/.ssh between my laptops?
Show threadMiakoda Apr 9
@juanrloaiza Also trying to grok the whole ssh agent in KeePassXC as an option. Last time I messed with it, I broke shit. BUT... the instructions I'm looking at have a step I don't remember seeing last time, so maybe that's why.
Also last time I also attempted to use SecretService... and I'm wondering if THAT is actually what broke shit
Show threadKat SApr 9

@hellomiakoda Not a stupid question at all; it's a common enough challenge to overcome.
I've been known to pull the following old-sysadmin dirty hack:

  • 0n the workstation that's already set up, open ssh sessions to the server and the new machine respectively
  • cat the private key on the new machine
  • Open ~/.ssh/authorized_keys on the server in a text editor
  • Copy-paste from one terminal to the other, using swipe-and-middle click (method may vary between distributions).
  • Save that file.
  • Test that you can connect from the new machine, and adjust/edit as necessary.
  • Once you know it's working, clear or exit the terminal on the new machine.

Of course, this assumes the new machine has ssh running and that it accepts the key from your first workstation.

Failing that, Manu's sneakernet solution is pretty reliable.

Show thread Shye 🇬🇧Apr 9
@hellomiakoda I set up a ssh key with my laptop about a year and a half ago, but then never dared to disable the password - because I figure I would probably end up locking myself out of my own server.
I have a second machine now I'm setting up, and was wondering myself if I was supposed create a new key or copy it across, or have it on a USB stick. So thanks for the question and to the people that answered. This is helpful for me also.
Show threadrootfakeApr 9

@hellomiakoda I usually use the enrolled machine to add the key in the new machines .pub file to .ssh/authorized_keys on the server. Its just a line of text in a file, so it can be edited with any text editor.

The advantage that has over copying the enrolled machine's private key to the new machine is that each key is now revokable if it gets lost/stolen/hacked etc.

Show threadJason StuartApr 9

@hellomiakoda So the private key portion you use to authenticate against the public key portion which is uploaded to the server is supposed to be the portable secured portion. Basically that would be secured on a hardware token or encrypted USB. And you'd be able to move that from machine to machine but never copying the private key to a foreign machine.

So what is your use case, I might be able to add more clarity if I understand how you're planning to use it.

EDIT: Just re reading this and I've confused myself now. So even I need to re-read how it works LOL.

Show threadMiakoda Apr 9
@JSCybersec I'm trying to set it up for local machines that don't really need the extra security, so that I can learn and understand this overlooked section of Linux knowledge
Show threadJason StuartApr 9

@hellomiakoda Okay, so on each machine you want to connect to you add the publickey portion into the authorized_keys file for the user you're connecting as. Then the machine you're connecting from has to have the private key in the ssh profile (usually under the user home directory ~/.ssh

Then when you connect to the machine using your key.

So say on "remote" machine I am user bob and on local machine I'm user bobmcbobberson.

On remote machines bob profile I open the authorized_keys file under the bob/.ssh folder and add my (bobmcbobberson) public key text into it)

Then on my local machine I ssh into the remote machine -> ssh bob@remotemachine

Depending on your key you might need to type a password to open the private section which will authenticate against the remote machine. If it prompts you for a password to connect to the remote machine then password auth is still enabled

Show threadJason StuartApr 9
@hellomiakoda @nixCraft has some good tutorials that more than likely explain it better than I do >.< https://www.cyberciti.biz/faq/how-to-set-up-ssh-keys-on-linux-unix/
How To Set up SSH Keys on a Linux / Unix System - nixCraft

Explains how to set up SSH Keys for public key authentication on a Linux, FreeBSD, OpenBSD, OS X/macOS or Unix based systems.

nixCraft
Show threadMiakoda Apr 9
@JSCybersec Yeah, I did know keys can have a password to decrypt the key.
See, I thought there was some master list of pub keys in the server. I didn't realize it was under ~/.ssh.
So if a key is compramised, that's where I remove it from. Ooooh, is that why the keys have user@client in them?! So I can find which one is what?!
Show threadMiakoda Apr 9

@JSCybersec Yeah, I just copied my key in to authorized keys myself, and it worked. Ok, this makes more sense now!

Which means I could easily put my keys in my password manager if I want.

Show threadMiakoda Apr 9
@JSCybersec If I'm understanding correctly...
If my friend wanted to give me ssh access to her server, I could safely give her my pub key. She can add that to authorized_keys. But that file would NOT give HER access to my machines that use that key pair. Yeah? I have that right?
Show threadJason StuartApr 9
@hellomiakoda That is correct.
Show threadMiakoda Apr 10
@JSCybersec Thank you very much, by the way. Whatever was different about your answers, it finally made it click for me. Now I understand that I can either have a different key for each of my computers, OR move 1 key between them.
For now, I have a different key on each, and I generated a separate extra key I copied in to my password manager that I can use if I lock myself out.
Show threadJason StuartApr 10
@hellomiakoda I'm glad it clicked for you 😁
Show threadRay KelmApr 9

@hellomiakoda

I create a new keypair on each machine I own, and then use signal/email/etc to pass the public key between machines, appending it to the local authorized_keys file.

When I am starting from passwords, I use scp to copy the public key to the new machine before disabling password login.

Show threadWurzelmannApr 10
@hellomiakoda via the first machine which ssh key is already there.