Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

Create self-contained SSH key scripts Network
I was playing around with making SSH access to a remote machine as easy as possible for my other half. Initially, I generated a key pair using ssh-keygen and installed the public key on the server as usual, put the private key in a folder with a .command (double-clickable shell script for Finder) script like the following:
#!/bin/bash
# chimpy.command - Logs user bob into chimpy using private
# key bob.dsa

ssh -i ./bob.dsa bob@chimpy.sampsa.com
Alas, that did not work as the .command file sets the current working directory to the user's home directory, not the directory it was executed from. Annoying. But then I realized that as the key is actually a text file, so why not make the key itself an executable script?

Luckily SSH is clever enough to ignore any superfluous text in the key file, so I renamed the bob.dsa key file to chimpy.command, and made it look like the following:
#!/bin/bash
# chimpy.command - Logs user bob into chimpy using private 
# key included in this file

ssh bob@chimpy.sampsa.com -i $0
exit

-----BEGIN RSA PRIVATE KEY-----
jXtyd8SY9+SPTtShJsTy8Ora21YJXT7SxZKyB7bFInDjOgD1B3n+FE8yjMBjCJ/yIN
HYb8fstlzoEcAqPPAuYWfsRBg7RM245GDJ3usSfSCfxMdk4kybGh9FXq51ddELZ4
352ne5AKBQuxy3XsoYnRsxHgg1jzbOlTJRUcojUK/t......
-----END RSA PRIVATE KEY-----
And it worked! I thought this is really quite cool, a single text file that you can move around and use to gain secured remote access to another machine.

[robg adds: This post originally appeared on the author's blog, and he granted permission to reproduce it in full here on macosxhints.com.]
    •    
  • Currently 3.40 / 5
  You rated: 3 / 5 (5 votes cast)
 
[17,790 views]  

Create self-contained SSH key scripts | 11 comments | Create New Account
Click here to return to the 'Create self-contained SSH key scripts' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
Create self-contained SSH key scripts
Authored by: phoyd on Sep 12, '07 08:15:50AM
Hmm. "Move around" is the last thing you should want to do with a file that contains your private key. This is probably even worser than moving around a file which contains your password. What's wrong with keeping the identity file in $HOME/.ssh/id_dsa like everyone else does? Also, ssh bob@chimpy.sampsa.com -i $(dirname $0)/bob.dsa is what you need if you want to address a file relatively to the location of the script.

[ Reply to This | # ]
Create self-contained SSH key scripts
Authored by: randalla on Sep 12, '07 08:24:59AM
Feel free to use, hack, dismiss, whatever the following script that automates the creation of your private keys, transmitting them to the remote machine, and setting up the custom host in your ~/.ssh/config file:

~/bin/installSSHKey:
---- COPY BELOW THIS LINE ----
#!/bin/sh

USER="${1}"
HOST="${2}"
ALIAS="${3}"

if [ ! "${USER}" ] && [ ! "${HOST}" ] && [ ! "${ALIAS}" ]; then
echo
echo "Usage: installSSHKey username hostname alias"
echo
echo " username = Your username on the remote system (not necessarily your current username: `whoami`)"
echo " hostname = The hostname (domain name or IP address) of the remote server"
echo " alias = The ssh alias for this host to be created"
echo
fi

if [ ! "${USER}" ]; then
echo "No ssh username specified (EG: `whoami`)"
exit 1
fi

if [ ! "${HOST}" ]; then
echo "No hostname specified (EG: www.example.com)"
exit 1
fi

if [ ! "${ALIAS}" ]; then
echo "No ssh alias specified (EG: example)"
exit 1
fi

cd ~

rm -rf .ssh/known_hosts

if [ ! -r .ssh ]; then
echo -n "Creating hidden .ssh folder in home directory..."
mkdir -p .ssh
chmod 700 .ssh
echo "Done"
fi

if [ ! -r .ssh/config ]; then
echo -n "Creating host configuration file..."
chmod 600 .ssh/config
echo "Done"
fi

if ! grep -q "Host ${ALIAS}" .ssh/config
then
echo -n "Adding host to config file..."
echo "
Host ${ALIAS}
HostKeyAlias ${ALIAS}
Hostname "${HOST}"
User ${USER}
Compression yes" >> .ssh/config
echo "Done"
fi

if [ ! -r .ssh/id_rsa.pub ]; then
echo -n "Creating RSA private and public keys..."
ssh-keygen -q -t rsa -f .ssh/id_rsa -N "" -P ""
chmod 600 .ssh/id_rsa*
echo "Done"
fi

if [ ! -r .ssh/id_dsa.pub ]; then
echo -n "Creating DSA private and public keys..."
ssh-keygen -q -t dsa -f .ssh/id_dsa -N "" -P ""
chmod 600 .ssh/id_dsa*
echo "Done"
fi

echo "Installing SSH public keys onto server: ${HOST}..."
echo "You will be prompted for your remote password."
ssh "${ALIAS}" \
mkdir -p .ssh\; \
echo "`cat .ssh/id_rsa.pub`" \>\> .ssh/authorized_keys\; \
echo "`cat .ssh/id_dsa.pub`" \>\> .ssh/authorized_keys2\; \
chmod 700 .ssh\; \
chmod 600 .ssh/*\;

if [ ! $? = 0 ]; then
echo "An error occurred, please overview your output"
else
echo "Done"
echo
echo "You can now access the server ${HOST} by typing:"
echo
echo " ssh ${ALIAS}"
echo
echo "Commands can be performed without logging in by doing:"
echo
echo " ssh ${ALIAS} commandname"
echo
echo "Examples:"
echo " ssh ${ALIAS} whoami"
echo " ssh ${ALIAS} ps ax"
echo " ssh ${ALIAS} tail -f /var/log/system.log"
echo
fi

chmod 600 .ssh/*
---- COPY ABOVE THIS LINE ----

the above script, I named installSSHKey would be executed as such:

installSSHKey username hostaddress alias
or
installSSHKey myusername ssh.example.com example

When run, it'll kill off the .ssh/known_hosts file (it's lazy), ask you to authorize the host, ask you to enter the user's password on the remote machine, and then do it's magic. Note, the script is smart enough not to pollute your ~/.ssh/config file with duplicate custom host entries. However, it's not smart enough to check if you've changed anything in the host entry, like the host address. If you do that, you need to first remove the entry from .ssh/config and then run this script. Or you could make it better yourself :)

You could then use a .command wrapper to this to set up specific hosts directly:

foo.command:
---- COPY BELOW THIS LINE ----
#!/bin/sh

installSSHKey username hostaddress alias
---- COPY ABOVE THIS LINE ----

---
Xaren Development
http://www.xaren.net

[ Reply to This | # ]

Create self-contained SSH key scripts
Authored by: archdata on Sep 12, '07 08:44:36AM
The above script works like a charm.

Just a small note - the ALIAS (for those that don't know - like me for about 20 minutes) is the Name you want to give the computer you are connecting to.

Therefore, to connect to your home computer called "FooBar" you could use the command

installSSHkey USERNAME (Your name) HOST (www.example.com) ALIAS (FooBar)

To use this alias you can now type "ssh FooBar" on the command line and you are connected to your home computer.

The alias can be whatever you want it to be as long as it makes sense to you.

[ Reply to This | # ]
Create self-contained SSH key scripts
Authored by: devlogic on Sep 12, '07 10:21:24AM
Alternately, you can edit ~/.ssh/config to add a stanza like this:

Host chimpy
Hostname chimpy.sampsa.com
User bob
IdentityFile /Users/bob/.ssh/id_dsa


Then all you need to have in your .command file is (to re-phrase the original example):
#!/bin/bash
# chimpy.command - Logs user bob into chimpy using private
# key
ssh chimpy
exit

It's also more convenient this way if, for example, you've had a security breach and needed to change your SSH keys. If you've got the keys all in one location, it's much easier to just over-write the compromised keys than it is to edit 30 different .command files.

[ Reply to This | # ]

Create self-contained SSH key scripts
Authored by: n8gray on Sep 12, '07 11:47:17AM

It's a nice trick, but I don't get it. What good does it do to have a script that you double-click on to ssh to another machine? The ssh session will end as soon as the script does -- i.e. in a fraction of a second. And why ssh to another machine if you don't want to use the command line?

Is this meant to be used in a script that actually *does* something on the other machine? If the point is just to access files on the other machine, take a look at MacFUSE and SSHFS. They make more sense for that task.



[ Reply to This | # ]
Create self-contained SSH key scripts
Authored by: bugmenot on Sep 12, '07 01:11:49PM
You can also use Gentoo keychain to ssh into another machine without typing a password. It takes some reading to figure how to set it up, but once you do, it just works.

[ Reply to This | # ]
Create self-contained SSH key scripts
Authored by: gloubibou on Sep 13, '07 01:11:02AM
You can set the working directory in the .command script to be the .command file's parent directory: cd `dirname "$0"`

[ Reply to This | # ]
Create self-contained SSH key scripts
Authored by: gshenaut on Sep 13, '07 07:37:51AM
I find SSHkeychain to work pretty well.

Greg Shenaut

[ Reply to This | # ]

Don't do that!!!
Authored by: ScienceMan on Sep 13, '07 02:55:32PM

Good heavens! I can't believe you have just published your private key!

After you change your ssh keys and scrub every location on any computer that might accept them of any authorized_keys entries corresponding to this that you may have put in, you might want to re-think this entirely.



[ Reply to This | # ]
Don't do that!!!
Authored by: ScienceMan on Sep 13, '07 03:01:04PM

OK, I see it is truncated now.

In any case, it is dangeroous to store or ship around files containing your private key. The whole point of his kind of cryptography is to only have to transmit a token taht is NOT your private key in order to be able to log in.

If you are going to do this, you might as well just revert to plain username / password login methods, asn you have bypassed the most valuable part of the cryptography here.



[ Reply to This | # ]
Create self-contained SSH key scripts
Authored by: FriendlyMacLover on Sep 13, '07 10:42:15PM

I found it easier to do "Save As" from Terminal, and name it for the system you want to log into, then edit the .term file (its a standard xml preferences file) and look for <key>ExecutionString</key> and following it is usually a <string></string> - simply insert "exec ssh -Y remote_host_name -l remote_user_name so it looks like this:

<key>Execution String</key>
<string>exec ssh -Y mymachine.com -l iamgeorge</string>

When you double click this .term file it will launch Terminal and log into the remote machine automatically.

(By the way, the -Y option forwards X11 packets to the Mac Desktop if you have X11 running on the mac, it can display X windows from the remote system (you may have to set and export DISPLAY=:0.0 in the .profile hidden file in your home directory)



[ Reply to This | # ]