ssh-copy-id on OSX

Wednesday August 13, 2014

To quote a tutorial from the Digital Ocean:

SSH keys provide a more secure way of logging into a virtual private server with SSH than using a password alone. While a password can eventually be cracked with a brute force attack, SSH keys are nearly impossible to decipher by brute force alone.

Normal login procedure into the VPS/server requires password, which is vulnerable to brute force (tho this can be avoided by using certain security strategies, e.g. using non-standard port for SSH, using fail2ban to detect and deny connection, couple of iptables tricks for security paranoids). Here, let’s talk about using SSH keys, the public and private keys (sometimes it is called as password-less login, because the keys already act as credentials).


Private key: The key you keep on your PC, and never give to anyone else.
Public key: The key you distribute, and in this case, the key you will place on the server

This private-public keys recognize each other.

Getting ssh-copy-id on OSX

Install ssh-copy-id through the Brew, as simple as brew install ssh-copy-id. Then, assuming you do not have the key pair yet, generate it by issuing this command ssh-keygen -t rsa, and few questions follow shortly, which are 1) location to save the key (the default is perfectly fine), 2) entering passphrase. This passphrase is some sort of password for the key pair itself (which is a good security practice if you enter it). Without passphrase, virtually anyone with the key pair can use it (guess you got the idea now).

Done installing ssh-copy-id and generating the key pair? Proceed with:

ssh-copy-id [email protected]

The command above will place the public key on the server. Next, logging into your server would require no more password (unless you are working on the PC that doesn’t have your key pair that you previously generated).

When I was setting up a fresh Docker instance, and tried to get the OpenSSH server working on it, I found out something interesting.

apt-get install openssh-server
service ssh start

cd /etc/ssh/
ssh-keygen -A   // if ssh says "couldn't load host key"
passwd root   // if root doesn't yet have password
service ssh restart

So yeah. The SSH configuration folder inside the /etc needs to have all the keys.