I’ve chosen to set up my development environment with two servers – a mysql central server, and an app server on which rails runs. This reflects my eventual intent – that the production system will have the mysql database separate from the app server, I’m figuring it’s easier to work that way. I spend a lot of time ssh’ing between these servers, and a bunch of tools such as scp and git run over top of ssh.
My aim in this post is to configure for a bit more security – I’m setting up so that you use public keys to logon rather than providing a password. This is easier/quicker to log on, but actually more secure than using a password.
The process here is pretty simple. The user that you’re logging on from needs to have a private key / public key pair in their ~/.ssh directory, the user that you’re logging on to on the second server needs to recognise that public key within the .ssh/authorized_keys file. (Note the American spelling, I spent about half an hour once trying to work out what had gone wrong before I noticed that).
I’m going to label the servers “ServerA” and “ServerB” just to make it easy, and the user that we’re using will be called “paul”.
Logon to ServerA as paul. Generate certificates for paul in his .ssh directory.
cd ~ mkdir .ssh ssh-keygen
I don’t put passwords on my certificates, which means I’m relying on my permiter security – that is to say, if you were to compromise one of my machines you could get to every other one of my machines since they all trust each other and have no passwords on the certificates. For a development environment that’s not internet accessible I consider that sufficiently safe, you might make a different decision.
Take a copy of the contents of ~/.ssh/id_rsa.pub to your clipboard or into a text editor. It should be something like:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPJ8QciOzh8LRJUmBnAAcgx5fMjQh+GQvgV8MLhcMZP07ssnqxySDce4yp9+85dj7sIRhMJCJYsXe4hwqVvaFCsw5pWLq2zvS17ug0n09nZhNhAnihr+aQ03gvT37LLKBYTVEmUJ+gcmCpscxM39PyRQgNC6wd1rqNlwxYaJyVRCVsl0HrE05wRGV8GyFHNFZpilRB7ni/3fmI7sCu83uCYFyeGHAL9MOCyPVvKlojuY1K1ZbJlMmzUiTPYFttRFrYHIZSJDDLeI+kISVCsIBh1RK7Y2L+2eFylDza/TD6uhHw7ZQqd3l/FsdFrmIOYpJ9LlvdPLK4ljOSrCdVJZ+V paul@ServerA
Next, logon to ServerB as paul:
Create an .ssh directory if necessary, and create certificates there as well, just in case you want to logon from ServerB to ServerA at some point.
cd ~ mkdir .ssh ssh-keygen
Edit the authorized_keys file, and paste in the public key that you copied from ServerA.
Copy the contents of ServerB id_rsa.pub into your clipboard or notepad.
Log out of ServerB, so you’re now back on ServerA. Edit the authorized_keys file on ServerA, and paste in the public key that you copied from ServerB.
Now ssh to ServerB again. You should be automatically logged on. Try also to ssh back from ServerB to ServerA, you should also be automatically logged on.
This configuration should also automatically apply to git and to scp, making your life easier and faster