Home | Content | Search | Navigation | Toolbox | Actions | In other languages

Public Key Authentication

From openSUSE


Contents

[edit]

Situation

You would like to set up a public key (non-password) login using ssh.

First, before starting, the following assumptions are made:

  • You have enabled sshd on the remote server.
  • You have opened the appropriate port for sshd on the remote server.
  • You have configured tcp wrappers and/or other security mechanisms on the remote server.
  • You are careful enough to know that you should not set up public key authentication for the root user.
  • You are capable of choosing between RSA or DSA keys. (In this example I have chosen RSA.)
[edit]

Procedure

[edit]

Preparing the client

1. If it does not exist, create the ~/.ssh directory for your user.

2. Generate the public / private key pair with the command: 

   ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_rsa

Note: When prompted for a passphrase, just hit enter, and then enter again unless you would like to add extra security to your public keys. See the man pages for ssh-keygen for various options, if you'd like to try something different. This will generate a private and a public (.pub) key file.

3. As root, edit the /etc/ssh/ssh_config file in the following ways:

  • Remove the comment (#) from the line containing IdentityFile ~/.ssh/id_rsa
  • Remove the comment (#) from the line containing Protocol 2

Note: If you see 1 on the protocol line, remove it. It is old an unsecure now. Version 2 should be used whenever possible.

[edit]

Preparing the server

1. Log in to the remote server using the normal ssh password authentication.

2. Make sure the ~/.ssh directory exists.

3. Make sure permissions on the ~/.ssh directory are 700.

4. Now from the client machine copy the .pub key you generated to ~/.ssh on the server. You can do this with this command from the client machine: 

   cat ~/.ssh/id_rsa.pub | ssh user_name_here@server_here "cat - >> ~/.ssh/authorized_keys"

You will be prompted for your ssh password to complete.

5. Next, as root on the server, edit the /etc/ssh/sshd_config file in the following ways:

  • If the line that contains Protocol 2 has a 1 as well, remove it. Also remove comment (#) if it is there.
  • Edit the line that contains PubkeyAuthentication to say: 
   PubkeyAuthentication yes
  • Remove comment (#) from PubkeyAuthentication if it is there.
  • Make sure the line AuthorizedKeysFile is set to point to ~/.ssh/authorized_keys and remove comment (#) if it is there.

6. As root, restart sshd: 

   rcsshd restart

That's it. Now try logging in from your client machine - you should be logged in automatically without being prompted for a password.

[edit]

Links

Retrieved from "http://en.opensuse.org/Public_Key_Authentication"
The content on this and other wiki pages is posted by community members who are not acting for or on behalf of Novell, Inc., whether or not they otherwise have affiliation with Novell.
This site uses the YAML CSS framework.
About openSUSE | Disclaimers | Feedback
This page was last modified 19:29, 8 May 2009. This page has been accessed 3,944 times.

Founded by Novell