#rev 2020-09-09 bonaccos
{{{#!wiki caution
When connecting a first time to a SSH server key point is always to verify the presented fingerprint of the remote SSH server.
}}}
== SSH Key-Based Authentification ==
An SSH server can authenticate clients using a variety of different methods. The most basic of these is password authentication, which is easy to use, but not the most secure.
SSH keys prove to be a reliable and secure alternative. To use this alternative you need a key pair with a public and a private key. You can generate a key pair with the command `ssh-keygen`:
{{{
user@host:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_rsa): 
Created directory '/home/user/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/user/.ssh/id_rsa.
Your public key has been saved in /home/user/.ssh/id_rsa.pub.
The key fingerprint is:
d0:f5:bc:f8:16:da:5a:e3:5e:e5:ef:18:00:55:69:c8 user@host
The key's randomart image is:
+---[RSA 2048]----+
|          ...o.. |
|       . . +E o  |
|      . . . o.   |
|       .   o .   |
|        S . +   .|
|           + o o |
|          . * o .|
|           = o o.|
|          ..o ..o|
+-----------------+
user@chinaski:~$ 
}}}
The public key must be uploaded to the remote server that you want to be able to log into with SSH. The key is added to a special file within the user account you will be logging into called `~/.ssh/authorized_keys`. In our managed linux client environment with a network shared home directory you can do this with:
{{{
> user@host:~$ cat .ssh/id_rsa.pub >> .ssh/authorized_keys
}}}
To instead install the public key on a remote machine you can use the helper `ssh-copy-id`. Now you are able to perform a ssh keybased login from client to client.

{{{#!wiki caution
If you do not protect the private key file with a password please be careful that nobody else can read this file (generally this is not a good idea, and might be useful only in particular cases where a separate key is generated for an automation task and on the reciever side the key usage is restricted to that particular task). If somebody can read it your identity has been stolen and can be used from this person on every target where you have placed your public key.
}}}

=== Prevent delays ===
A recent cause of delays with ssh connections are incorrect permissions of the directory `~/.ssh` and its contents. The delay typically occurs after the following lines which are visible when a ssh connection is started verbose with `ssh -vvv`:
{{{
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
}}}
To prevent this type of delay, make sure to only allow your user to read/write this directory and its contents. This can be achieved quickly by issuing the following command:
{{{
chmod -R go-rwx ~/.ssh
}}}

=== Public key pairs not used ===
The symptom is no public key pairs are accepted for valid authorization, password authentication is used. With `ssh -vvv` you see lines like these:
{{{
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred: ,password
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
}}}
If this happens, check if you have write permissions for group or others on your home directory. If this is the case, remove them:
{{{
chmod go-w ~
}}}