SSH key generation

Posted on: August 28, 2007

The Enterprise Linux Resource
Title Making secure remote backups with Rsync
Date 2004.11.04 3:00
Author Beret

I have this posted strictly for the key generation commands. This article was about back ups using rsync, so if that sounds interesting to you then the link to the story is above.


Automatic backups

The first step in automating remote backups is to remove any required user intervention — namely requests for SSH passwords. To allow your systems to make an SSH connection without asking for a password, you must generate passphraseless keys. On the local machine, drop into the terminal and enter:

rsa V2 key generation
cd to dir you want the key in and…
$ ssh-keygen -t rsa -b 2048 -f id_rsa

Generating public/private dsa key pair.
Enter passphrase (empty for no passphrase): [press enter here]
Enter same passphrase again: [press enter here]
Your identification has been saved in /home/user/rsync-key.
Your public key has been saved in /home/user/rsync-key.pub.
The key fingerprint is:
8c:57:af:68:cd:b2:7c:aa:6d:d6:ee:0a:5a:a4:29:03 user@localhost

Now copy the public key to the remote machine using Secure Copy:

scp ~/rsync-key.pub user@remotehost:~

Finally, put the public key into the authorized_keys file on the remote host. SSH into the remote machine using ssh user@remotehost.com and execute:

mkdir ~/.ssh
chmod 700 ~/.ssh
mv ~/rsync-key.pub ~/.ssh/
cd ~/.ssh/
touch authorized_keys
chmod 600 authorized_keys
cat rsync-key.pub >> authorized_keys

You should now be able to SSH into the remote machine without being asked for a password. Give it a try by closing your previous SSH session and creating another one by typing

ssh -i ~/rsync-key user@remotehost

These entries with no passwords can originate from any host and execute anything. You can add additional security by limiting what the SSH connection can do via the authorized_keys file. I don’t recommend employing any additional security until after your first backup in order to limit the troubleshooting process, but once you’ve completed that successfully, you can employ additional security by using SSH to connect to the remote machine and editing your ~/.ssh/authorized_keys file. It should look similar to:

ssh-dss AAAAB3NzaC1yc2EAAAABIwAAAIEAyNChQxw/+Da….=user@remotehost.com

To limit where connections are coming from, prefix the key with from=”ip.address”. To limit what command is executed, prefix the key with command=”/path/to/validating/script”. As an example, your secured authorized_keys file might look like:

from=”″, command=”/home/user/validate-rsync.sh” ssh-dss AAAAB3NzaC1yc2EAAAABIwAAAIEAyNChQxw/+Da….= user@remotehost.com


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: