Public Key authentication for SSH/SCP

Posted on June 8, 2009 by admin

This is how to setup public key authentication. Here are the steps:

1. Make sure the target SSH server accept public key authentication
As root, open sshd_config on the target server, usually located in /etc/ssh/sshd_config

vim /etc/ssh/sshd_config

Make sure these lines are available and not commented

PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

2. Make sure the ssh client know where the private key is located
As root, open ssh_config on the client machine, usually located on /etc/ssh/ssh_config

vim /etc/ssh/ssh_config

Make sure this line is available:

IdentityFile ~/.ssh/identity
IdentityFile ~/.ssh/id_rsa
IdentityFile ~/.ssh/id_dsa

3. Create a pair of private and public keys
To do public key authentication, you need to have a pair of keys. Private key is stored on ssh client machine as your identification, and public key is stored on the target ssh server, used by sshd to authenticate you on ssh server.

Log into the ssh client machine with the account that you’ll be using to connect to target server, and issue this command:

ssh-keygen -t dsa

The output should be similiar to this:

#:~/.ssh$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
be:4d:36:7c:29:a9:e0:8a:c0:c5:d5:65:40:fe:97:4b root@192.168.1.1

Since my requirement was passwordless authentication, I didn’t enter any passphrase. Note that the private (id_dsa) and public (id_dsa.pub) keys have been generated, and stored .ssh directory

#:~$ cd .ssh
#:~/.ssh$ ls
authorized_keys  id_dsa  id_dsa.pub  id_rsa  id_rsa.pub

4. Install the public key into the target ssh server
Copy the public key into target ssh server

#:~$ cd .ssh
#:~/.ssh$ scp id_dsa.pub surfer@M5base:/home/surfer/.ssh
root@192.168.1.2's password:
id_dsa.pub                                    100%  605     0.6KB/s   00:00

log into the ssh server as the user that will use the passwordless authentication, in my case, it’s “surfer”. Install the public key into the server by issuing this command:

#:~$ cd .ssh
#:~/.ssh$ cat id_dsa.pub >> authorized_keys

The above commands will add the public key into authorized_keys file. It is important to do add the key by using the above command so that any existing keys in the authorized_keys file are not overwritten.

Sometime, the .ssh folder is not available, and you are required to create them manually. This may cause some problem regarding the access restriction of that folder. To create the folder, do the following:

#:~$ mkdir .ssh
#:~$ chmod -R 700 .ssh

5. Test your connection
Try to log to the target ssh server, the output should be close to this:

#:~/.ssh$ ssh root@192.168.1.2
--------------
Last login: Wed Oct 31 21:57:19 2008 from localhost
#:~$

Now you can test your setup by copying file from ssh client machine to the ssh server:

#:~$ scp test.tar.gz  user@192.168.1.2:/home/
test.tar.gz                        100%   33MB  11.2MB/s   00:03

… and you’re done

This entry was posted in Linux. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>