11. OpenSSH and Key/Passphrase Authentication


This page describes how to set up a DSA key/passphrase to securely connect from your desktop machine (client) to a remote machine (server) using OpenSSH (with SSH protocol 2).

To be absolutely clear, we are using:

Prerequisites

  1. Ensure up-to-date versions of OpenSSH are installed on both client and server. Furthermore, ensure that no other implementation of SSH, e.g., that from SSH Communications Security (www.ssh.com) is around to confuse the issue (though see below).

  2. Ensure that on each machine, client and server, within your home directory a sub-directory called .ssh exists and that the permissions are correct,
            drwx------   2 simonh users     136 2005-01-05 12:17 .ssh
    i.e., the directory is private to the owner.

Generating, Installing and Testing the Key

  1. First we make the key. On your local/client desktop machine type
            ssh-keygen -t dsa
    You will be prompted for the name of a file in which to keep the key (the default is fine). You will also be prompted for a passphrase --- don't use a blank or easily-guessed passphrase. You will see something like this:
            prompt> ssh-keygen -t dsa
            Generating public/private dsa key pair.
            Enter file in which to save the key (/home/mc/.ssh/id_dsa): 
            Enter passphrase (empty for no passphrase): 
            Enter same passphrase again: 
            Your identification has been saved in /home/mc/.ssh/id_dsa.
            Your public key has been saved in /home/mc/.ssh/id_dsa.pub.
            The key fingerprint is:
            e0:............................................:xy user@clienthost
            prompt>
    Two files are created: ~/.ssh/id_dsa and ~/.ssh/id_dsa.pub. The first is your private key; the second is your public key.

  2. Copy your public key to your .ssh directory on the remote server by some means. For example, if the remote SSH server will currently accept a password-based (non-keyed) authentication method:
  3. Test that the key-pair is working --- make use of your SSH client's verbose mode to do this:
            ssh -v bohrg1.man.ac.uk -l simonh -v
    
            OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7d 17 Mar 2004
            debug1: Reading configuration data /etc/ssh/ssh_config
            debug1: Applying options for *
            debug2: ssh_connect: needpriv 0
            debug1: Connecting to bohrg1.man.ac.uk [130.88.200.111] port 22.
            debug1: Connection established.
            .
            .
            debug1: identity file /home/simonh/.ssh/id_dsa type 2
            debug1: Remote protocol version 2.0, remote software version OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3
            .
            .
            debug1: Host 'bohrg1.man.ac.uk' is known and matches the RSA host key.
            debug1: Found key in /home/simonh/.ssh/known_hosts:1
            .
            .
            debug1: Authentications that can continue: publickey,password,keyboard-interactive
            debug1: Next authentication method: publickey
        
    Notice the available methods of authentication and their order: publickey, password and keyboard-interactive. The first is our key-with-passphrase-based method; the others are password-only-based methods (used above to copy id_dsa.pub to the remote machine).
            .
            .
            debug1: Offering public key: /home/simonh/.ssh/id_dsa
            .
            .
            Enter passphrase for key '/home/simonh/.ssh/id_dsa': 
        
    Enter your passphrase and hit return, and you will be authenticated and logged in as usual.

...previousup (conts)next...



About this document:

Produced from the SGML: /home/mc/public_html/_ssh/_reml_grp/ssh.reml
On: 4/4/2006 at 17:51:25
Options: reml2 -i noindex -l long -o html -p multiple