We have been using SSH all the time but not all people really understand the files we put inside the
~/.ssh folder on our computer. It was a myth to me when I was first using SSH, but things are pretty clear to me now and I want to share this with all of you, just in case you don't know.
This file is responsible for verifying the host we have connected to. If it was the first time you connect to a host, you would probably see the following message:
The authenticity of host 'example.com (10.0.0.0)' can't be established. RSA key fingerprint is SHA256:VqgUG8v+gxrigR1csELYv6Un6l7HxMgPgMj9wyUr7G4. Are you sure you want to continue connecting (yes/no)?
The moment you select
yes to continue connecting, the hostname along with the public key of the server will be saved as a new line in this file. Why we need this file? Just imagine that for some reason our routing has been compromised by a hacker and he is trying to redirect us to the wrong server (and if we are not careful, we can send sensitive information to this wrong server). At this time, when we SSH to the host again, our SSH client detects that the server public key has changed and it would not allow us to continue because this key is different from the key saved in
known_hosts, which is a safe way to protect us from continue sending sensitive information to the server.
This, however, also creates a little problem to some developers when connecting to a server which has been changed recently because his SSH request will be declined. In that case, you should confirm that the server has indeed been changed and then simply open the
known_hosts file and remove the line containing the host you are trying to connect; after that connect again.
This file is created manually to specify the right host address and right key to use when connecting to a certain host. For example, let's say that I have a very long host address like this:
abcdwefsdfasdfagaksdjkajfdgka.example.com. In addition, I have to specify a private key (using
-i option in SSH) to connect to this server. The command I use is like this:
ssh -i ~/.ssh/privatekey.pem firstname.lastname@example.org
It just does not feel comfortable to me. Instead, I can create a
config file inside the
~/.ssh folder and put this content into the file
Host mydev HostName abcdwefsdfasdfagaksdjkajfdgka.example.com IdentityFile ~/.ssh/privatekey.pem User dev
After having this in
config file, I can SSH to this server easily
This method is very useful if you need to clone multiple github projects using different accounts (check out my old post about this topic: http://thelazylog.com/how-to-configure-ssh-for-multiple-github-accounts/)
This file only exists on the machine which is acting as a server, and it is also manually created. You want to use this file if you hate typing the password every time you use SSH. By putting your client public key into this file on the server, you can connect to the server without typing the password. This is called key-based SSH login.
How does it work? The server will use the client public key in
authorized_keys file to lock the message in a way that only your computer with the corresponding private key can unlock the message. This is why when you creating an SSH key, it often asks you to set the passphrase for the private key so that in case your computer get stolen, you still have time to disable the old public key. If you are interested in cryptography, you might want to read more about this on Wikipedia: https://en.wikipedia.org/wiki/Public-key_cryptography
I hope the information of this post is helpful to you. Happy coding!