One of the basic ways of connecting to a FreeBSD server is through a secure shell, commonly referred to as ssh.
The most basic usage of an ssh connection is to give you a full-fledged command prompt on the remote machine. However, the ssh connection can also be used as a tunnel for countless other things, such as file transfer, rsync, or even accessing systems on the network of the remote machine, by tunneling ports from the ssh server to the local machine.
By default, any ssh client requires the password of the remote account. However, by setting up a public/private key pair and storing the public key on the server, any client in possession of the private key can connect automatically. This is especially useful if the connection is to be used by an automated script, such as a backup service. In this post, I’ll explain how to set up such a connection between two FreeBSD machines.
Creating the public/private key pair
This is easy. Go to the home directory of the account from which you want to connect to the remote machine, and type:
[root@thunderflare ~]# ssh-keygen
It will prompt you for a filename and a passphrase. The filename can be anything you want, but make sure to put it in the ~/.ssh/ directory. The passphrase should remain blank (otherwise you’ll still need a password).
You should now have a {keyname} and {keyname}.pub file. The .pub file is the one you’ll store on remote machines, while the other key (the private one) should be kept securely on that machine. Make sure the ~/.ssh directory only has read permissions for the user, with all other permissions at zero.
Storing the public key on the remote machine
We now need to store the public key on the remote machine and make sure that machine knows to accept connections using that key.
[root@thunderflare ~]# cat ~/.ssh/{keyname}.pub \
| ssh remoteuser@remote.example.com \
'cat >> ~/.ssh/authorized_keys'
This is a composite command that pipes the contents of the public key file through an ssh connection and appends it to the authorized_keys file on the remote machine. The authorized_keys file is where the remote ssh server looks to see if the user trying to connect has a public key available.
However, right now, everyone in possession of your private key is able to connect using that key. If you know that you’ll only be connecting from a single IP address (for example, if you’re using this in an automated script), you can increase security by telling the remote server to only accept connections using that key from certain addresses. To do this, first connect to the remote server, this should now be possible by just typing:
[root@thunderflare ~]# ssh remoteuser@remote.example.com
Now edit the ~/.ssh/authorized_keys file using your editor of choice. If there are multiple keys in the file, find the one that ends with the username and servername from which you created the public key. On the beginning of that line, add
from="{IP_ADDRESS}" ssh-rsa ...etc
Where {IP_ADDRESS} is a comma-seperated list of IP addresses that you want to connect from.
Save the file, close the connection, and you’re done. You can now connect free of passwords to the remote machine.
Comments are disabled for this post