Top

SSHPublicKeyAuthentication

I didn't know about this until just recently and it's so cool :) My instructions will apply to OpenSSH.

The idea here is that you put a public key on a remote machine which you wish to login to, and the remote machine verifies your identity by having you sign something with the corresponding private key. In some configurations, you don't have to type any password at all.

Overview:

• Check that the remote machine supports public key authentication
• Create a keypair on the local machine
• Copy the public key to the list of authorized keys for your account on the remote machine
• Set up ssh-agent if you desire

Check that the remote machine supports public key authentication:

It probably does, as this is the default setting for sshd. Check that there is NOT a line which reads

   PubkeyAuthentication no

in /etc/ssh/sshd_config (or, if there is no /etc/ssh directory, /etc/sshd_config). If for some freakish reason the server only supports ssh version 1, look instead for RSAAuthentication and see that it's not set to no.

Create a keypair on the local machine

You should do this locally and only on a machine that you trust (i.e. you have root, nobody else does, and you keep it well patched..). Choose an algorithm, RSA or DSA. It basically doesn't matter. If you must use ssh version 1 choose RSA. Now, type

   ssh-keygen -t rsa

or

   ssh-keygen -t dsa

You will have an option to enter a passphrase, or just press enter. If you don't enter a passphrase, you must rely on the security of your filesystem to keep your private key from falling into evil hands (meaning that an attacker could use it to log into the remote machine as you). If you do use a passphrase, the attacker will need BOTH the passphrase and the private key to login as you. Of course, it would behoove you to remember the passphrase. As we will see later, you need only type the passphrase once per login session if you choose to set up ssh-agent.

ssh-keygen will create two files, one called ~/.ssh/id_rsa or ~/.ssh/id_dsa, and one called ~/.ssh/id_rsa.pub or ~/.ssh/id_dsa.pub . Copy the public key, the one which ends in .pub, to the remote host like so:

   scp ~/.ssh/id_rsa.pub mylogin@remote.host:.ssh/mypublickey.txt

The material in the public key is not sensitive, so you may use an unencrypted channel to copy it if you must. Now log in to the remote server via ssh (you will still need a password; we aren't done yet) and do this:

   cat ~/.ssh/mypublickey.txt >> ~/.ssh/authorized_keys

Ok, if you didn't have an authorized_keys file yet you could have just cheated with the scp command before and not do the ssh login, but I wanted to make sure you didn't clobber an existing file.

If you are feeling paranoid, you can chmod 600 ~/.ssh/* on either or both machines. The only thing that actually needs to be unreadable by group and others is your private key, id_rsa or id_dsa on the local machine. ssh-keygen will have set its permissions appropriately.

You are done! You should now be able to ssh into the remote host without giving a password if you did not password your private key, or with the password to your private key if you did make one.

Set up ssh-agent if you desire

For people who did password their secret keys, this all seems rather pointless so far. You still have to supply a password every time you log in. ssh-agent comes to the rescue. Try adding something like this to .bash_profile (assuming you use bash) on the local machine

   eval `/usr/bin/ssh-agent`

and this to your .bash_logout:

   /usr/bin/ssh-agent -k

Now, when you log in you can say

   ssh-add

type the password for your secret key, and you will be able to ssh to the remote host without supplying the passphrase for as long as ssh-agent is running. ssh-agent will die when you log out. If you start XFree86 from the command line as I do, you can put this into your .xinitrc, where the /path/to/windowmanager line is the line that starts your window manager.

   eval `/usr/bin/ssh-agent`
   SSH_ASKPASS=/usr/X11R6/bin/ssh-askpass /usr/bin/ssh-add </dev/null &
   /path/to/windowmanager
   eval `/usr/bin/ssh-agent -k`

You will then be asked for the pass to your secret key when you start X, and any ssh session you start from an xterm to the remote host should not require a password. Similar tricks should apply to .xsession if you have a display manager like xdm or kdm.

Before I leave you alone, here's a neat trick if you tend to ssh between the cs linux machines at dartmouth. Just run ssh-keygen with no password on your linux account and copy .ssh/id_[dr]sa.pub to ~/.ssh/authorized_keys. Because your home directory is the same on many machines, you can now ssh from one to the other with no password. This is fine in terms of security because to crack you, someone would have to read id_[dr]sa, which is readable only by you. If someone can read it, he's already broken into your account so it's not much good to him.

Phew. That got a little longer than I wanted. Please do write me (alex.ferguson@dartmouthNOSPAM.edu) if there is anything I should clarify. And ask on linux-users : )

AlexFerguson - 08 Apr 2003