This is a brief guide to creating a public/private key pair that can be used for OpenSSL.While the 'easy' version will work, I find it convenient to generate a single PEM bundleand then export the private/public key from that as needed. This document also covers howto add and remove a password from your private key and how to make sure that keychainwill automatically unlock it when you sign in.
Just make it work
Generate an ssh key-pair:
Ruby - you - refusing to link macos-provided software: libxml2. エラー:gemネイティブエクステンション(ruby extconf.rb)の構築に失敗しました: Mac OS X. Warning: control may reach end of non-void function -Wreturn-type. Jul 31, 2016 Warning: Refusing to link: openssl. Linking keg-only OpenSSL means you may end up linking against the insecure, deprecated system version while using the headers from the Homebrew version. Instead, pass the full include/library paths to your compiler e.g.: -I/usr/local/opt/openssl/include -L/usr/local/opt/openssl/lib.
If you just pound enter through the setup procedure then you will end up with a new keypair created in the default location:
/Users/yourname/.ssh/ . There will be two files:
When a server administrator asks for a copy of your public key, send them a copy of the
id_rsa.pub file. They'll be able to add it to your user account's list of authorizedkeys and that will enable you to log in without typing a password.
Doing it the hard way
This method involves creating the keys as a bundle, exporting the public key andmanually setting the permssions on all of the paths. You'll also have to configureOpenSSH to use your new bundle for authentication.
A summary of the steps follows:
Rational
I prefer to generate a certificate using OpenSSL directly, then export the private orpublic-key in the necessary format as needed. The benefits to this appraoch are three-fold:
Warning Refusing To Link Macos-provided Software OpensslDefault software and Mac OS X
In order to generate the key I prefer to use OpenSSL directly rather than the ssh-keygen tool.While it is possible to provide flags to
ssh-keygen using OpenSSL gives us access to optionsthat are not avaiable in the standard Mac OS X version of SSH but doesn't require us to buildthe SSH client from scratch.
Update OpenSSL
Unfortunately the version of OpenSSL that ships with Mac OS x is rather dated and so it'smissing some of the features of the latest versions. One of those features is the
genpkey command which is the new recommended way to generate keys. Assuming you have Homebrewinstalled (see: https://brew.sh) you can install an up-to-date version of OpenSSL with:
Many packages that you install with homebrew are likely to depend on OpenSSL anyway so thisis not a terrible idea even if you don't care about using OpenSSL directly. https://panelentrancement.weebly.com/theme-for-macos-9.html.
Updating OpenSSH
Download file comparator for mac. If you're interested in rebuilding openssh you should link against LibreSSL sothat passwords can be installed in your keychain.
This is a relatively new option and caution should be taken because compatibilitymay not be perfect. LibreSSL is not intended to be a 1:1 replacement for OpenSSL.
It appears that just building OpenSSH will not have it request key information fromthe Mac OS X keychain, nor will it automatically start SSH-Agent so there may besome trouble-shooting steps required if you prefer to go this path. I do not builda new version of SSH.
Creating directories
OpenSSH requires that keys be stored in
~/.ssh Dmg worldwide. and that path must be restrictedso that only the user can access it. It also requires that any identify files beaccessible only by the user too. Permssions for ~/.ssh/config can be more relaxedbut it is good practice to keep those private so as not to leak inforamtion aboutuser names or servers you connect to.
Create the directories by running:
While this will create the directory you will have to modify the default permissions.Read/write/execute for the owner and no access for any other user is required. Recall,the execute flag on a directory allows you to view its content.
You might want to create an empty ssh config file and set appropriatepermissions so that you don't have to remember how to do it later whenthere's some problem and you are half-asleep, drunk, and responding to aPagerDuty alert.
You can save a few copy steps if you're following this guide by changinginto your ssh path for the remaining steps:
Generating keys
The first step to generating keys is to create the bundle using OpenSSL. Thisapproach allows us to specify a few extra options when creating keys that arenormally hidden by
ssh-keygen :
The options: are
When generating the key you will be prompted for a password. Make sure to use a verystrong, unique, random password for this file. You won't have to type it in regularlyso generate it with your password vault. In a pinch you can generate a random passwordusing OpenSSL via:
openssl rand -base64 48 .
When the bundle has been generated, copy it to your
~/.ssh folder and change itspermissions accordingly:
I prefer to make the bundle read-only for my user so I never accidentally edit it orstrip the password.
chmod 0600 ~/.ssh/yourname.pem would also work if you don't mindit being editable by your user.
Extracting the public key
You'll want to be able to send the public key to other people and leave it on othercomputers without risking your private key. The easiest way to export your publickey is using the ssh-keygen method which prints it to standard out.
You can always redirect that to a file if you want to send it via email or copy itvia SFTP. Generally I prefer not to keep a copy of my public keys on disk so that I amjustified in always treating
~/.ssh as a secret.
Configuring OpenSSH
Remember to either edit your
~/.ssh/config to specify this bundle as the defaultidentify file by adding the line:
Alternatively you can specify it on a host-by-host basis by using ssh command-lineoptions:
ssh -i ~/.ssh/yourname.pem example.com -l someuser . When you areprompted for a password, remember that you should enter the one used when creatingthe bundle, not the log-in password for your computer or the remote system you areconnecting to.
Finally, you should consider adding the key to your Mac OX X keychain using:
This will store the password in the login Keychain which is unlocked automaticallywhenever you sign in. Storing your password this way means you won't have to re-typethe password you used when creating the bundle in order to use it.
Using
ssh -i ~/.ssh/yourname.pem foo.example.com will also add your key to Keychain.
Public Keys and Github.com
It's a good idea to add your public key to github.com so that you can pull from privaterepositories and push changes to your public repositories. You can do this at:
Once you've uploaded your public key, other users can download it by going to
For example, my public key is located here: https://github.com/colinstein. Free mac audio editor download. keys Simcity limited edition mac download.
You may want to create different key-pairs for different repositories or organizationsand then use
~/.ssh/config and local .gitconfig files ot manage those relationships.
After generating keys in the above manner for each github account you can configuressh by editing
~/.ssh/config and adding entries like the following for each account:
When cloing a repository you would then clone from the appropriate host:
Warning Refusing To Link Macos-provided Software Bison
You can also edit the existing git remote by editing the
.gitconfig insidethe checked out repository:
Warning Refusing To Link Macos-provided Software Libffi
Git also provides a number of ways to configure SSH via
git config andgit remote add foo [email protected]:somegithubuser/somerepo.git . A fullrun through of those options is well outside the scope of this gist.
Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |