SSH without passwords, an intuitive explanation

..because I’ve never seen one.

LOTS of things in computing are badly named. I’m going to fix that. Public/private keys are certainly one of them. Let’s focus on when using them to log in to remote servers with SSH without a password.

Here’s a good way to think about it: Forget the idea that you’re creating two keys. You’re creating a lock and a key for that lock.

The “public key” is NOT a key at all. It’s a *lock*. Think either a padlock or combination lock.
The private key IS actually a key, it’s the key or combination for that lock.

Let’s say you’re trying to connect to a server called “remote” from a computer at “home.” Thus, “home” needs a key, and “remote” needs a lock. Here’s what needs to be done.

1) create the key and the lock at “home” (which you do at the same time.)

ssh-keygen -t rsa

(all the defaults are fine)

2) Next, put your new lock on “remote.”

ssh-copy-id user@remote

Done. That’s the *necessary* stuff. Now, because you are disabling passwords, here are some things you’re going to want to think about that I’m not going to cover here:

– You’ve made a key that can open a server, so now whoever has that key can do so. Keep it safe. Think about permissions and who has access to “home.”

– If you have multiple clients and multiple servers? The analogy sort of fails a bit here, multiple locks on one server means EACH individual key can open it, you don’t need all of them. That being said, you still probably want to do it this way, i.e. make one key(pair) for each home/client, not for each server.

On trusting technology

There is a large metal mechanical door; it has the potential force to medically decapitate a human being, more than enough to crush a human hand. Yet, as it closes, a guy waves his hand in front of it without thought. In order to let me, a stranger, inside. It magically opens, as it has been taught to do.

Inside, another guy, presumably in a hurry, presses the “close door” button many times in rapid succession. Presumably, this is to try to make the door close faster. Though, I bet if you asked this guy if he really believed this would work, he’d probably say no.

A strange trust relationship we have with technology.

A person, in the privacy of their home, creates a private document intended for one other person. Along with its deeply personal value, in the wrong hands, this document could potentially be sold for an amount in the range of six figures.

This person more-or-less trusts the process by which this happens, kind of. Here is what happens. The document is locked down and sent on its way. Law enforcement secures and unlocks a copy for themselves.  Regardless, most of the rest of the way to its destination, it is mostly secure.

But the first destination isn’t the final destination. The first destination is a storehouse, somewhere. Again, the document is unlocked and multiple copies are made and sent to other storehouses. Only after that is the document repackaged and sent to its intended recipient.

The system that did this, its entire purpose could be summed up as “A large robust international network designed for the sole purpose of making perfect copies of things and sending them everywhere.”

A popular metaphor for part of this system is quite literally nebulous; an amorphous vapor mass out of arms’ reach, completely ungraspable, forming and disintegrating with the wind.

A thief steals the document, naturally.

People are outraged, disgusted, titillated, concerned.  But nobody, really, is surprised.

The original sender has made casual statements about these sorts of documents, a fair paraphrasing would be, “I do not know how to make copies of my own documents for my own safekeeping; amorphous blob, just figure it out for me.”

With all due apologies to Jennifer Lawrence, the subject of the second example if you haven’t figured it out by now.

Skeptical tech geeks will be tempted to wag fingers. “I told you so, this is what you get for trusting the cloud.”  (Count me as one of them, I have done this before and will almost certainly do it again.)

This may be correct. But of course, this isn’t good enough; this isn’t something that dumb people do, this is a paradox (everything can be hacked and I’m trusting it anyway) that basically *everyone* is doing.

The major questions we ought to tackle: How did this happen? (not just the hack, but *all* of it?)

And what are we going to do about it?

 

 
– remarks from the first lecture of my Fall 2014 “Technologies for Information Professionals” class