6.4. Authenticating by Public Key (OpenSSH)

Problem

You want to set up public-key authentication between an OpenSSH client and an OpenSSH server.

Solution

  1. Generate a key if necessary:

    $ mkdir -p ~/.ssh                        If it doesn't already exist
$ chmod 700 ~/.ssh
$ cd ~/.ssh
$ ssh-keygen -t dsa

  2. Copy the public key to the remote host:

    $ scp -p id_dsa.pub remoteuser@remotehost:
Password: ********

  3. Log into the remote host and install the public key:

    $ ssh -l remoteuser remotehost
Password: ********

remotehost$ mkdir -p ~/.ssh                       If it doesn't already exist
remotehost$ chmod 700 ~/.ssh
remotehost$ cat id_dsa.pub >> ~/.ssh/authorized_keys  (Appending)
remotehost$ chmod 600 ~/.ssh/authorized_keys
remotehost$ mv id_dsa.pub ~/.ssh                  Optional, just to be organized
remotehost$ logout

  4. Log back in via public-key authentication: 

    $ ssh -l remoteuser remotehost
Enter passphrase for key '/home/smith/.ssh/id_dsa': ********

Tip

OpenSSH public keys go into the file ~/.ssh/authorized_keys. Older versions of OpenSSH, however, require SSH-2 protocol keys to be in ~/.ssh/authorized_keys2.

Discussion

Public-key authentication lets you prove your identity to a remote host using a cryptographic key instead of a login password. SSH keys are more secure than passwords because keys are never transmitted over the network, whereas passwords are (albeit encrypted). Also, keys are stored encrypted, so if someone steals yours, it’s useless without the passphrase for decrypting it. A stolen password, on the other hand, is immediately usable.

An ...

Get Linux Security Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial