The time has now come that I need to be able to connect to my home machine from work and other locations. SSH provides a very nice solution to this problem. It is secure and simple and good clients exist for both Windows (Putty) and Linux (OpenSSH).

Getting a Key

Before I go into setting up the server I will first talk about creating the keys required for a secure connection. It is possible to use just usernames and passwords but SSH has good support for RSA so it is worth setting it up to use RSA and gain a little security and a lot of convinence.

OpenSSH has support for two protocol versions numbered 1 and 2 (what a supprise). I am going to exclusivly use version 2 and an RSA key. I have read in a couple of places that the DSA keys can be broken in some implementations so it is not worth taking the risk.

You need to generate a key on each machine that will connect to your server. The user that will own the key must create the key and they must do it on the machine that they will be connecting from. In this example we have two machines C and S (for client and server).

So log in to machine C and enter the command:

ssh-keygen -t rsa

This will create two files for you, a private and a public key located at ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub with the second file being the public key. Note: It is VERY important that you don't expose the private key to the outside world. If you do people could "steal your identity".

The "authorized_keys" File

The authorized_keys file is the file used by the server to determine whether to allow you access to the machine or not. Setting up this file sounds complex at first but is actually just a matter of concatenating the public key generated above on to the end of this file. If the file does exist use touch to create it first. Enter the commands as seen below making substitutions where appropriate.

Note: These commands were run in the ~/.ssh/ directory. Also note that you have to have the authorized_keys file in every users .ssh directory they you want to be able to ssh into, it is not a global thing.

touch authorized_keys
cat ip_rsa.pub >> authorized_keys

Other Tasks

Thats about it really. It goes with out saying that you have to open the firewall on the appropriate port (22) or no one will be able to get in. You can set up a file that will be displayed when a user attempts to login to your machine. This can be a friendly warning or some such. As you can no doubt guess it has to be a plain text file.

Automatic Login Using The ssh-agent

Now that we are logging in using keys it makes sense to have that login happen automatically with out the need to use a password. This can be achieved using the SSH Agent which holds on to your keys and supplies them when needed. The best way to do this is to have the SSH Agent start when you login. It will then provide its magic to all applications that are started. It is important, however, to understand that this is a security risk since anyone who gains access to your desktop, say while you back is turned, can pretend to be you.

The SSH Agent can be used to start another application so, eventually, we are going to make it start our desktop environent for us. Initially however I will quickly show you how to get the agent running and providing services to just one application.

Setting up the SSH Agent For One Application

Open a console window and enter the command (this assumes you use a bash shell)

ssh-agent bash

This will create you a new bash shell inside the current one. Unfortunatly it doesn't provide any feed back so it looks like it hasn't work. The difference is that this new shell is running under the SSH Agent and therefore has access to the agents magic. You have to new add your keys to the agent which is done by running this command in the same window

ssh-add

You can provide arguments to this command but by default it picks up the most common keys. Since you will have password protected your keys you have to enter the password to give ssh-add access to them. If you are not at a console when you run this command you will get a new window asking you for the password. Note: You must have an "askpass" program installed for this to work. There are three currently in Debain they are:

gtk-led-askpass - GTK+ password dialog suitable for use with ssh-add
ssh-askpass - under X, asks user for a passphrase for ssh-add
ssh-askpass-gnome - under X, asks user for a passphrase for ssh-add

I prefere the last one which provides the nicest GUI. You only see it once per login though so I suppose it doesn't matter :o)

Setting up the SSH Agent For All Applications

By default Debian sets it up such that the X sesion is started by the ssh-agent. If you look in "/usr/X11/Xsession.options" you should see a line "use-ssh-agent" which causes the X session to be started by the agent. It is then simply a matter of calling the ssh-add program which can be done either by hand or by placing a ".desktop" link in you "~/.kde/Autostart" folder. This is best done with Konqueror and goes under the name "Link to application..."