Telnet/SSH

ID #90

How do I get ssh to authenticate me via public/private keypairs instead of by password?

Applies to: Grid System, Managed Servers, VPS

Use ssh-keygen on your local system to generate public and private keys. If your local system runs Windows, you can use Cygwin's ssh-keygen program.

There are two types of keys that can be created using ssh-keygen, DSA and RSA. Simply put, they are two different types of encryption. Because the construction of DSA was private in nature and RSA was not, many feel that RSA is a more secure standard because of the public scrutiny in the creation of it.

The method for creating either key is very similar.

The following method is to create SSH keys. It is important to hit ENTER twice when prompted for passphrase for the keys, so that no passphrase is generated (this is required for WinCVS users).

To create an RSA key use: ssh-keygen
To create a DSA key use: ssh-keygen -t dsa

The steps listed below are used to create a DSA key. The only differences between the creation of the keys are the output file (id_rsa.pub or id_dsa.pub) and the file stored on the remote server (authorized_keys2 for DSA and authorized_keys for RSA keys).

Here is a sample screencopy of what generating keys looks like:

$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /your/local/system/home
Your public key has been saved in /your/local/system/home
The key fingerprint is:
some:unique:hex:codes you@your.local.hostname

Now login to the remote system here and make sure in your home directory there is a subdirectory named: .ssh (include the period '.' before the 'ssh'). You may need to create this directory. To see the file, you will need to type:
ls -al
The .ssh directory should be chmod 700, which looks like this in the first column of a detailed file listing:
-rwx------

If those are not the permissions on the .ssh dir, then set them by typing:
chmod 700 .ssh

Now take the id_dsa.pub (or id_rsa.pub) file (your public key) that you generated with ssh-keygen on your local system, and copy it to the .ssh directory on the remote system here, renaming the file authorized_keys2 (or authorized_keys for rsa).

You can copy it in various ways, such as screencopying the contents of the file on your local system and editting a new file on the remote system, pasting and saving. Or you could ftp the file to the remote system and then rename it. If your local system is some kind of unix, the easiest thing is to scp it, or use a combination of cat and ssh like this typed all on one line:

$ scp id_dsa.pub youruser@ftp.modwest.com:/.ssh/authorized_keys2

or this:

$ cat id_dsa.pub | ssh youruser@ftp.modwest.com 'cat - >> ~/.ssh/authorized_keys2'

Once it is uploaded to the remote system, the authorized_keys2 (authorized_keys) file should be chmod 600, which looks like this in the first column of a detailed file listing:
-rw-------

If those are not the permissions on the authorized_keys2 (authorized_keys) file, then set them by typing:
chmod 600 /.ssh/authorized_keys2

At this point you should be able to login to the remote system via ssh without being prompted for a password.


Last update: 2010-09-29 16:46
Author: FAQ Admin
Revision: 1.3

Digg it! Share on Facebook Print this record Send FAQ to a friend Show this as PDF file
Please rate this FAQ:

Average rating: 4.8 (15 Votes)

completely useless 1 2 3 4 5 most valuable

You can comment this FAQ

Comment of Anonymous:
Generating keys using PuTTY didn't seem to work. Generating them with Cygwin's ssh-keygen instead worked fine. The key should have no passphrase, otherwise you'll still be prompted for a password.
Added at: 2002-08-29 15:16

Comment of Anonymous:
It is possible to use keys with passwords (without having to input the password every time), if you are ssh'ing from a linux/unix box.

See the bash script "keychain" and the information on ssh-agent at http://www-106.ibm.com/developerworks/library/l-keyc2/
Added at: 2002-09-24 21:01

Comment of Anonymous:
An article discussing ssh'ing between servers using only public/private keypairs, and no passwords, is here:

http://www.devshed.com/Server_Side/Administration/Tunnelling/page3.html
Added at: 2003-04-07 14:32

Comment of Anonymous:
CygWin is a Unix emulator for Windows.

I successfully used it to connect via ssh after more user-friendly alternatives didn't work for me.

To get public/private key files, I ran ssh-keygen under Cygwin, then uploaded the public file to /.ssh/authorized_keys2 (as recommended elsewhere on these support pages). I also ran CygWin setup to tell it where I was keeping my private key.

Then all I had to do was return to the CygWin prompt and do:

ssh myusername@modwest.com

and I was in.
Added at: 2003-04-30 18:33

Comment of Anonymous:
I failed with PuTTY but succeeded with CygWin. Run CygWin setup to tell it where to look for your private key, then go back to the CygWin shell prompt and type
ssh yourusername@modwest.com
Added at: 2003-04-30 15:11

Comment of Anonymous:
Could successfully populate a CVS repository with PuTTY and WinCvs using the
excellent notes at anders.fix.no/cvs/wincvs-ssh.
Only one glitch, notes mention file authorized_keys, one must use authorized_keys2
Regards
Added at: 2003-12-11 14:38

Comment of Anonymous:
For the time being, CVS only users cannot use authenticated key pairs to login. They will have to type their password.
Added at: 2005-01-28 14:25

Comment of Anonymous:
Since the SSH1 protocol is not used anymore, you don;t need to call your file "authorized_keys2" anymore (signifyign SSH2 protocol). You can call the file just "authorized_keys" now.
Added at: 2005-03-08 17:07

Comment of Anonymous:
Suppose you need multiple people coming from multiple different hosts to be able to get into a single account using ssh keys.

Each person follows the first part of this FAQ to generate a public and private key pair (if they don't have one already).

Then only the first person creates the file "/.ssh/authorized_keys2" by following the 2nd half of the instructions in this FAQ.

Everyone else will just copy the contents of their own id_dsa.pub file from their local computer and paste it on a new line into the authorized_keys2 file that is on the server.

Each line of the authorized_keys2 file on the server will be very long and look similar to:

ssh-dss AKJHSHS/verylongline== some-user@local-hostname

Each line in the authorized_keys2 file on the server corresponds to a user who can get into the account from a remote host. The remote user's remote username and remote hostname are printed at the end of each line.

If you have 10 users that can get into the account, the file will have 10 lines in it, each one filled with an individual's public key info.

Added at: 2006-10-17 21:40

Comment of Anonymous:
Using ssh-keygen from Cygwin worked for me as well. As mentioned in a previous note, you can still use it with a passphrase and get remote access by using ssh-agent. Having key pairs without a passphrase doesn't seem like a good idea to me.

Use ssh-agent to start a new bash session, and then do ssh-add to enter your passphrase only once at the start of the session:

$ssh-agent bash
$
...(you're in a new subshell now)
$ssh-add
(prompts for passphrase)
$
...
$ssh user@shell.modwest.com
(should get in without prompts)
remote$
...(do stuff in remote shell)
remote$exit
$
...
(do stuff in local shell)
...
$ssh user@shellmodwest.com
(should get in without prompts again)
remote$

and so on...
Added at: 2008-05-19 22:27

Comment of plaid:
I have successfully been able to login via public key in your Debian 6 environment, but not RedHat7 or Debian 5.
Added at: 2011-06-23 23:08