In SSH and SSH2 for Unix, how do I set up public key authentication?

Note: The infor ation in this docu ent assu es you are usin! "penSSH on the local and re ote syste s #this is !enerally the case on the UITS central syste s at Indiana Uni$ersity%& If you are usin! a different SSH $ersion, such as one a$ailable fro Tectia, the process outlined below ay not be correct&

'ublic key authentication is an alternati$e security ethod to usin! passwords& To use public key authentication, you ust !enerate both a public and a pri$ate key #i&e&, a key pair%& (ou store your public key on the re ote hosts on which you ha$e an accounts& (our pri$ate key stays on the co puter you use to connect to those re ote hosts& This ethod allows you to lo! into those re ote hosts, and transfer files to the , without usin! your account passwords&

To set up public key authentication in SSH or SSH2 for Unix:

"n the co puter you)ll use to access the re ote host, !enerate a key pair for the protocol you want to use:

To create a key pair for SSH2, enter: ssh*key!en *t dsa To create a key pair for SSH, enter: ssh*key!en *t rsa+ Note: ,or security reasons, UITS stron!ly reco possible& ends usin! SSH2 instead of SSH whene$er

(ou will be pro pted to supply a filena e #for sa$in! the key pair% and a password #for your pri$ate key%& If you press -nter or .eturn throu!h each of these pro pts, the key !eneration pro!ra will assu e:

(ou want to use the default filena e #e&!&, id/dsa for SSH2%& (ou do not want to password*protect your pri$ate key&

Note: UITS stron!ly reco ends usin! a password to protect your pri$ate key& If your pri$ate key is not password protected, another person can concei$ably access your co puter and then connect to your account on the re ote host #where your public key is sa$ed% without enterin! a password&

The key !eneration pro!ra

will create the key pair, includin!:

0 pri$ate key that has the filena e you specified #e&!&, filena e% or the default filena e #e&!&, id/dsa% 0 public key that has the sa e filena e with a &pub extension added #e&!&, filena e&pub or id/dsa&pub%

Use S1' to copy your public key file #e&!&, filena e&pub% to your account on the re ote host #e&!&, d$ader2deathstar&co %& To do so, enter: scp 34&ssh4filena e&pub d$ader2deathstar&co : 5o! into the re ote host usin! your account userna e and password& If your account doesn)t already contain a 34&ssh4authori6ed/keys file, create one& To do so, use the followin! co ands: kdir *p 34&ssh touch 34&ssh4authori6ed/keys Note: If your account already has 34&ssh4authori6ed/keys, executin! these co da a!e the existin! directory or file& ands will not

"n the re ote host, add your public key #e&!&, filena e&pub% to the 34&ssh4authori6ed/keys file7 at the co and line, enter: cat 34filena e&pub 88 34&ssh4authori6ed/keys (ou ay now safely delete the public key file #e&!&, filena e&pub% fro re ote host& To do so, at the co and pro pt, enter: r 34filena e&pub o$e it to your account on the

If you prefer to keep a copy of your &pub file #e&!&, filena e&pub% on the re ote host, the &ssh directory& To do so, at the co and pro pt, enter:

$ filena e&pub 34&ssh4 Note: ,ollow steps 9*: for each re ote host on which you want to use public key authentication&

The next ti e you use SSH or SSH2 on the co puter that has your pri$ate key to connect to a re ote host that has your public key:

If you supplied a password when !eneratin! your pri$ate key, the re ote host will pro pt you for your pri$ate key password& Note: (our pri$ate key password is not trans itted to the re ote host&

If you did not supply a password when !eneratin! your pri$ate key, the re ote host will not pro pt you for a password&

For Unix, what are ssh-agent and ssh-add, and how do I use them?
In Unix, ssh-agent is a background program that handles passwords for SSH private keys. The ssh-add command prompts the user for a private key password and adds it to the list maintained by ssh-agent. nce you add a password to ssh-agent, you will not be prompted for it when using SSH or scp to connect to hosts with your public key. Note: The public part of the key loaded into the agent must be put on the target system in ~/.ssh/authorized_keys ! see In SSH and SSH" for Unix, how do I set up public key authentication# To use ssh-agent and ssh-add, follow the steps below$ 1. %t the Unix prompt, enter$ eval `ssh-agent`Note: &ake sure you use the back'uote ( ` ), located under the tilde ( ~ ), rather than the single 'uote ( ' ). 2. *nter the command$ ssh-add

3. *nter your private key password.

4. +hen you log out, enter the command$ kill $SSH_AGE !_"#$To run this command automatically when you log out, place it in your .logout file (if you are using %sh or t%sh) or your.&ash_logout file (if you are using &ash). Note: The versions of these programs for SSH", ssh-agent' and ssh-add', are the same as outlined above. To use them, follow the instructions above, replacing all occurrences of ssh-agent with ssh-agent' , and ssh-add with ssh-add' . The SSH" versions will only work if both your computer and the remote host are running SSH".