To be absolutely clear, we are using:

• OpenSSH (not SSH from SSH Comms Sec) on both client and server;
• we use DSA keys, not RSA keys, and
• SSH Protocol 2 (not 1 or 1.5).

Prerequisites

1. Ensure up-to-date versions of OpenSSH are installed on both client and server. Furthermore, ensure that no other implementation of SSH, e.g., that from SSH Communications Security (www.ssh.com) is around to confuse the issue (though see below).
   
   
2. Ensure that on each machine, client and server, within your home directory a sub-directory called .ssh exists and that the permissions are correct,

           drwx------   2 simonh users     136 2005-01-05 12:17 .ssh

   i.e., the directory is private to the owner.

Generating, Installing and Testing the Key

1. First we make the key. On your local/client desktop machine type

           ssh-keygen -t dsa

   You will be prompted for the name of a file in which to keep the key (the default is fine). You will also be prompted for a passphrase --- don't use a blank or easily-guessed passphrase. You will see something like this:

           prompt> ssh-keygen -t dsa
           Generating public/private dsa key pair.
           Enter file in which to save the key (/home/mc/.ssh/id_dsa): 
           Enter passphrase (empty for no passphrase): 
           Enter same passphrase again: 
           Your identification has been saved in /home/mc/.ssh/id_dsa.
           Your public key has been saved in /home/mc/.ssh/id_dsa.pub.
           The key fingerprint is:
           e0:............................................:xy user@clienthost
           prompt>

   Two files are created: ~/.ssh/id_dsa and ~/.ssh/id_dsa.pub. The first is your private key; the second is your public key.
   
   
2. Copy your public key to your .ssh directory on the remote server by some means. For example, if the remote SSH server will currently accept a password-based (non-keyed) authentication method:
   • If the remote file authorized_keys2 does not yet exist, then

                 local> scp ~/.ssh/id_dsa.pub remote.server:.ssh/authorized_keys2

   • Else the remote file authorized_keys2 already exists, then copy id_dsa.pub to a temporary file on the remote machine, append the contents of the temporary file to authorized_keys2 and then delete the temporary file:

                 local> scp ~/.ssh/id_dsa.pub remote.server:.ssh/authorized_keys2_temp

     and

                 remote> cd ~/.ssh
                 remote> cat authorized_keys2_temp >> authorized_keys2
                 remote> rm authorized_keys2_temp

   
   
3. Test that the key-pair is working --- make use of your SSH client's verbose mode to do this:

           ssh -v bohrg1.man.ac.uk -l simonh -v
   
           OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7d 17 Mar 2004
           debug1: Reading configuration data /etc/ssh/ssh_config
           debug1: Applying options for *
           debug2: ssh_connect: needpriv 0
           debug1: Connecting to bohrg1.man.ac.uk [130.88.200.111] port 22.
           debug1: Connection established.
           .
           .
           debug1: identity file /home/simonh/.ssh/id_dsa type 2
           debug1: Remote protocol version 2.0, remote software version OpenSSH_3.4p1 Debian 1:3.4p1-1.woody.3
           .
           .
           debug1: Host 'bohrg1.man.ac.uk' is known and matches the RSA host key.
           debug1: Found key in /home/simonh/.ssh/known_hosts:1
           .
           .
           debug1: Authentications that can continue: publickey,password,keyboard-interactive
           debug1: Next authentication method: publickey
       

   Notice the available methods of authentication and their order: publickey, password and keyboard-interactive. The first is our key-with-passphrase-based method; the others are password-only-based methods (used above to copy id_dsa.pub to the remote machine).

           .
           .
           debug1: Offering public key: /home/simonh/.ssh/id_dsa
           .
           .
           Enter passphrase for key '/home/simonh/.ssh/id_dsa': 
       

   Enter your passphrase and hit return, and you will be authenticated and logged in as usual.