Problem You want to set up public-key authentication between an OpenSSH client and an Op enSSH server.

Solution Generate a key if necessary: $ $ $ $ mkdir -p ~/.ssh If it doesn't already exist chmod 700 ~/.ssh cd ~/.ssh ssh-keygen -t dsa

Copy the public key to the remote host: $ scp -p id_dsa.pub remoteuser@remotehost: Password: ******** Log into the remote host and install the public key: $ ssh -l remoteuser remotehost Password: ******** remotehost$ mkdir -p ~/.ssh If it doesn't already exist remotehost$ chmod 700 ~/.ssh remotehost$ cat id_dsa.pub >> ~/.ssh/authorized_keys (Appending) remotehost$ chmod 600 ~/.ssh/authorized_keys remotehost$ mv id_dsa.pub ~/.ssh Optional, just to be organized remotehost$ logout Log back in via public-key authentication: $ ssh -l remoteuser remotehost Enter passphrase for key '/home/smith/.ssh/id_dsa': ******** Tip OpenSSH public keys go into the file ~/.ssh/authorized_keys. Older versions of O penSSH, however, require SSH-2 protocol keys to be in ~/.ssh/authorized_keys2. Discussion Public-key authentication lets you prove your identity to a remote host using a cryptographic key instead of a login password. SSH keys are more secure than pas swords because keys are never transmitted over the network, whereas passwords ar e (albeit encrypted). Also, keys are stored encrypted, so if someone steals your s, it's useless without the passphrase for decrypting it. A stolen password, on the other hand, is immediately usable. An SSH "key" is actually a matched pair of keys stored in two files. The private or secret key remains on the client machine, encrypted with a passphrase. The p ublic key is copied to the remote (server) machine. When establishing a connecti

on, the SSH client and server perform a complex negotiation based on the private and public key, and if they match (in a cryptographic sense), your identity is proven and the connection succeeds. To set up public-key authentication, first create an OpenSSH key pair, if you do n't already have one: $ ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/home/smith/.ssh/id_dsa): Enter passphrase (empty for no passphrase): ******* Enter same passphrase again: ******* Your identification has been saved in id_dsa Your public key has been saved in id_dsa.pub. The key fingerprint is: 76:00:b3:e8:99:1c:07:9b:84:af:67:69:b6:b4:12:17 smith@mymachine Copy the public key to the remote host using password authentication: $ scp ~/.ssh/id_dsa.pub remoteuser@remotehost: Password: ********* id_dsa.pub 100% |*****************************| Log into the remote host using password authentication: $ ssh -l remoteuser remotehost Password: ******** If your local and remote usernames are the same, you can omit the -l remoteuser part and just type ssh remotehost. On the remote host, create the ~/.ssh directory if it doesn't already exist and set its mode appropriately: remotehost$ mkdir -p ~/.ssh remotehost$ chmod 700 ~/.ssh Then append the contents of id_dsa.pub to ~/.ssh/authorized_keys: remotehost$ cat id_dsa.pub >> ~/.ssh/authorized_keys remotehost$ chmod 600 ~/.ssh/authorized_keys (Appending)

736

00:03

Log out of the remote host and log back in. This time you'll be prompted for you r key passphrase instead of your password: $ ssh -l remoteuser remotehost Enter passphrase for key '/home/smith/.ssh/id_dsa': ******* and you're done! If things aren't working, rerun ssh with the -v option (verbose ) to help diagnose the problem. The SSH server must be configured to permit public-key authentication, which is the default:

/etc/ssh/sshd_config: PubkeyAuthentication yes If no, change it and restart sshd SSH-2 Key File Formats The two major implementations of SSH-OpenSSH and SSH Secure Shell ("SSH2")-use d ifferent file formats for SSH-2 protocol keys. (Their SSH-1 protocol keys are co mpatible.) OpenSSH public keys for the SSH-2 protocol begin like this:

ssh-dss A9AAB3NzaC1iGMqHpSCEliaouBun8FF9t8p... or:

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA3DIqRox... SSH Secure Shell public keys for the SSH-2 protocol look like this:

---- BEGIN SSH2 PUBLIC KEY ---AAAAB3NzaC1kc3MAAACBAM4a2KKBE6zhPBgRx4q6Dbjxo5hXNKNWYIGkX/W/k5PqcCH0J6 ... ---- END SSH2 PUBLIC KEY ---These keys are installed differently too. For OpenSSH, you insert your public ke ys into the file ~/.ssh/authorized_keys. For SSH Secure Shell, you copy your pub lic key files into the directory ~/.ssh2 and reference them in the file ~/.ssh2/ authorization by name:

Key public_key_filename As for private keys, OpenSSH has no special requirements for installation, but S SH Secure Shell does. You must reference them in the file ~/.ssh2/identification by name:

IdKey private_key_filename