Ssh public key authentication
How to set up public key authorization with linux distributions using openssh, such as Fedora, Red Hat or Debian.
In this howto, you are on your own computer (whose name is local) as user erkki. You have
access to an ssh server (on a computer called server.example.com). Your username on server
is tero and your password is 2secret. Thus, you can login to the server with ‘ssh tero@server.example.com
‘ and “2secret” as password.
Goal is to automate login so
that you don’t have to type your password when you login to server from local.
You should test that you can connect to server normally before trying to automate this: ssh tero@server.example.com
, and answer “yes” if you are asked if you want to continue connecting.
(c) Tero Karvinen www.iki.fi/karvinen.
Create key pair
Run ssh-keygen
on your own computer. Below, “local$” means your prompt and you don’t have to type it.
local$ ssh-keygen -t dsa
Press enter to each question. Keypair is stored to default location $HOME/.ssh/ and you can use your keys without typing a password.
Generating public/private dsa key pair. Enter file in which to save the key (/home/erkki/.ssh/id_dsa): Created directory '/home/erkki/.ssh'. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/erkki/.ssh/id_dsa. Your public key has been saved in /home/erkki/.ssh/id_dsa.pub. The key fingerprint is: 1b:e1:1d:c3:12:74:f6:71:0e:21:08:37:7d:d9:e3:e4 erkki@cs78243006.pp.htv.fi
Upload your public key to server
Upload your key to server using sftp. Put assumes the files you put are
in the directory where you were when you started sftp. That’s why we go to
/home/erkki/.ssh before we start sftp. Before you start sftp, you can use ls
to see that id_dsa.pub
really is in the directory where you are.
Sftp is started from local computer. Password is not echoed (printed) on the screen when you type it.
local$ cd $HOME/.ssh/
local$ sftp tero@server.example.com
Connecting to server.example.com... tero@server.example.com's password: 2secret sftp> put id_dsa.pub id_dsa.pub 100% 616 47.3KB/s 00:00 sftp> exit
Now you have a key pair. The secret key is in local computer, on users home directory (/home/erkki/.ssh/id_dsa). Public key has been copied to remote server,
and is now stored in the home directory of the user of remote computer (/home/tero/id_dsa.pub on server.example.com).
Put your public key to authorized_keys
Connect to remote server:
local$ ssh tero@server.example.com
tero@server.example.com's password: 2secret
server$
Now we are connected to server.example.com, and using it remotely as
user tero. Note that the prompt usually changes to indicate this. Here, I have used “local$” for local computers prompt and “server$” for server.example.coms prompt. Optionally, you can check with ls
that id_dsa.pub
really is in user teros home directory on server.example.com.
Next, we put contents of id_dsa.pub (our public key) to the end of
the list of authorized public keys, stored in a file called authorized_keys.
Both id_dsa.pub and authorized_keys are normal text files.
If .ssh does not exist yet, it is created. Public key is printed (to standard out) with cat
, and this is redirected to end of authorized_keys.
server$ mkdir -p .ssh
server$ cat id_dsa.pub >>.ssh/authorized_keys
Put very restrictive permissions to these authorization files, just to make sure.
server$ chmod og-rxw $HOME/.ssh $HOME/.ssh/authorized_keys
Test
Let’s try connecting to server from local computer. Now that we have public key authentication working, it should no longer ask for a password. If you are still using server.example.com remotely, exit.
server$ exit
local$ ssh tero@server.example.com
server$
It did not ask for a password, so you have successfully installed public
key authentication for ssh.
Copyright 2004 Tero Karvinen www.iki.fi/karvinen.
GNU Free Documentation License
Validate XHTML Basic 1.0