SSH2 Public-key Authentication

Please be advised that this publickey method is not recommended because it is far less secure than having to supply a password for each connection.

If your account is compromised on one computer, then any computer that allows that account@hostname to public-key authenticate is also compromised.

The Steps

  • Create your personal SSH keys on your local machine with the command ssh-keygen -b 1024 -P. Two files (keys) will be created; your private key will be named ~/.ssh2/id_dsa_1024_? and will never be copied off the local machine. The public key will be named ~/.ssh2/id_dsa_1024_?.pub and this file can be freely copied to other machines. The ? will be an incrementing character starting at "a", then "b", "c","d",etc. Each time you run ssh-keygen the letter will increment. Note that in the example below, I rename both of my keys (id_dsa_1024_a and id_dsa_1024_a.pub) to names that are easier to keep track of (darkstar and darkstar.pub respectively).

  • On the local host add your identification (private key filename) to the ~/.ssh2/identification file. In the example below, I use my darkstar private key as my identification. Most people will only have one identification per machine but you could use more if you desire. Keep the private key on the local host and move the public key to the foreign host. The private key will never need to be moved; only the public key.

  • Copy your personal public key to the foreign machine into ~/.ssh2/. This will be the public key of the one you are using in the identification step above. In the example below, I copy darkstar.pub over to steel.

  • On the foreign host add the filename of the public key you copied over in step3 to the ~/.ssh2/authorization file. In the example below, I add the public key filename darkstar.pub to the list.

  • One final step (which may already have been done) is to exchange the two host keys of the machines; this is done by to ssh'ing from one machine to the other and accepting the hostkeys. Note that you need to do this in both directions. In the example below, the scp in one direction gets steel's host key and the ssh from steel back to darkstar gets darkstar's host key.

    An example

    Darkstar is my local workstation and Steel is the computer I want to be able to use public-key authenticate to. 

    jdoe@darkstar# ssh-keygen -b 1024 -P
Generating 1024-bit dsa key pair
Key generated.
   8 ..oOo.oOo.oO
1024-bit dsa, jdoe@darkstar, Mon Mar 26 2001 09:52:05 -0500
Private key saved to /home/jdoe/.ssh2/id_dsa_1024_a
Public key saved to /home/jdoe/.ssh2/id_dsa_1024_a.pub
jdoe@darkstar# cd .ssh2
jdoe@darkstar# mv id_dsa_1024_a darkstar
jdoe@darkstar# mv id_dsa_1024_a.pub darkstar.pub
jdoe@darkstar# echo "idkey darkstar" >> identification
jdoe@darkstar# scp darkstar.pub steel:/N/u/jdoe/Steel/.ssh2/
Host key not found from database.
Key fingerprint:
xuqip-c7vup-bimgb-kidgs-hqdqt-tqlgb-pgpof-pgpip-nqdib-nipil-rixqx
You can get a public key's fingerprint by running
% ssh-keygen -F public-key.pub on the keyfile.
Are you sure you want to continue connecting (yes/no)? yes
jdoe's password: ********
Authentication successful.
darkstar# ssh steel
jdoe's password: ********
jdoe@steel# cd .ssh2
jdoe@steel# echo "key darkstar.pub" >> authorization
jdoe@steel# ssh darkstar
Host key not found from database.
Key fingerprint:
pwzip-covup-bimgx-kidgs-hzdzt-tzlgb-pgpof-xgpiz-nzdib-nfpih-yixzx
You can get a public key's fingerprint by running
% ssh-keygen -F public-key.pub on the keyfile.
Are you sure you want to continue connecting (yes/no)? yes
jdoe's password: ^D
jdoe@steel# exit
logout
Connection to steel closed.