Ssh public key authentication

Ssh public key authentication

How to set up public key authorization with linux distributions using openssh, such as Fedora, Red Hat or Debian.

In this howto, you are on your own computer (whose name is local) as user erkki. You have
access to an ssh server (on a computer called server.example.com). Your username on server
is tero and your password is 2secret. Thus, you can login to the server with ‘ssh tero@server.example.com‘ and “2secret” as password.
Goal is to automate login so
that you don’t have to type your password when you login to server from local.
You should test that you can connect to server normally before trying to automate this: ssh tero@server.example.com, and answer “yes” if you are asked if you want to continue connecting.

(c) Tero Karvinen www.iki.fi/karvinen.

Create key pair

Run ssh-keygen on your own computer. Below, “local$” means your prompt and you don’t have to type it.

local$ ssh-keygen -t dsa

Press enter to each question. Keypair is stored to default location $HOME/.ssh/ and you can use your keys without typing a password.

Generating public/private dsa key pair.
Enter file in which to save the key (/home/erkki/.ssh/id_dsa):
Created directory '/home/erkki/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/erkki/.ssh/id_dsa.
Your public key has been saved in /home/erkki/.ssh/id_dsa.pub.
The key fingerprint is:
1b:e1:1d:c3:12:74:f6:71:0e:21:08:37:7d:d9:e3:e4 erkki@cs78243006.pp.htv.fi

Upload your public key to server

Upload your key to server using sftp. Put assumes the files you put are
in the directory where you were when you started sftp. That’s why we go to
/home/erkki/.ssh before we start sftp. Before you start sftp, you can use ls to see that id_dsa.pub really is in the directory where you are.

Sftp is started from local computer. Password is not echoed (printed) on the screen when you type it.


local$ cd $HOME/.ssh/
local$ sftp tero@server.example.com

Connecting to server.example.com...
tero@server.example.com's password: 2secret
sftp> put id_dsa.pub
id_dsa.pub                                    100%  616    47.3KB/s   00:00
sftp> exit

Now you have a key pair. The secret key is in local computer, on users home directory (/home/erkki/.ssh/id_dsa). Public key has been copied to remote server,
and is now stored in the home directory of the user of remote computer (/home/tero/id_dsa.pub on server.example.com).

Put your public key to authorized_keys

Connect to remote server:


local$ ssh tero@server.example.com
tero@server.example.com's password: 2secret

server$

Now we are connected to server.example.com, and using it remotely as
user tero. Note that the prompt usually changes to indicate this. Here, I have used “local$” for local computers prompt and “server$” for server.example.coms prompt. Optionally, you can check with ls that id_dsa.pub really is in user teros home directory on server.example.com.

Next, we put contents of id_dsa.pub (our public key) to the end of
the list of authorized public keys, stored in a file called authorized_keys.
Both id_dsa.pub and authorized_keys are normal text files.

If .ssh does not exist yet, it is created. Public key is printed (to standard out) with cat, and this is redirected to end of authorized_keys.


server$ mkdir -p .ssh
server$ cat id_dsa.pub >>.ssh/authorized_keys

Put very restrictive permissions to these authorization files, just to make sure.

server$ chmod og-rxw $HOME/.ssh $HOME/.ssh/authorized_keys

Test

Let’s try connecting to server from local computer. Now that we have public key authentication working, it should no longer ask for a password. If you are still using server.example.com remotely, exit.


server$ exit
local$ ssh tero@server.example.com

server$

It did not ask for a password, so you have successfully installed public
key authentication for ssh.

Copyright 2004 Tero Karvinen www.iki.fi/karvinen.
GNU Free Documentation License

Validate XHTML Basic 1.0

Posted in Old Site | Tagged , , , , | Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *

*

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

  • Recent Posts

  • Picks

  • Boxing Clock for AndroidOcton8 Diving T-ShirtsShaking Tower Panda Android GameLearn Chinese with Android
  • Student projects