Spring in Practice

Willie Wheeler's Spring blog

Setting Up Public Key Authentication (PKA) Over SSH

| Comments

I assume you already know the whys, concepts, and terminology; this is just a statement of the steps involved. I’m using OpenSSH and a DSA key pair.

Step 1

Generate a key pair:

ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/Willie/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/Willie/.ssh/id_dsa.
Your public key has been saved in /home/Willie/.ssh/id_dsa.pub.
The key fingerprint is:
f2:f7:5b:9b:f7:64:2b:d8:fe:ca:ad:f5:13:35:9f:63 Willie@ARCATA

This creates your key pair, and places them in your ~/.ssh directory. The public key is id_dsa.pub; the private key is id_dsa. If it isn’t already obvious, the public key is not a secret, and the private key is. :–)

Step 2

Install the public key to any SSH servers for which you’d like to use PKA. To do this, SSH into the server machine and open up the ~/.ssh/authorized_keys file in a text editor. If you haven’t already installed a public key to the server in the past, then you’ll be creating a new file. Just append the contents of your id_dsa.pub file to authorized_keys. Here’s mine:

ssh-dss AAAAB3NzaC1kc3MAAACBAOybEZ4kAaKROXoibeR+V/ajTY3L/aN6K5lVbdWKsw+9uPl/cyj4
6Qu5UYHkLS5tiGci8Olx7jNfku4/k1z8/JoGDTqwAixMxgb/NNKTUB7ZnhxfVTenSI/oVtM/lNpCiOdg
U7ESOyNrxPFVU6K1pWId+LGxeweWTw+08vwIOShTAAAAFQDx6q5JWhV2EDGUMXFwj3QF8+8a4wAAAIBW
Mee5MphZPYxG7la772tAYREo+37eXfP3SW49GmPHJFdydFcf5VtroLlzKJ1Iy9HUwnKjiEv2qE1B2xVD
jJslgQ34QVKKswQDRCXlyshyKbbRMd37MSYNpNqdZ5gTJT+EMa8+NoTUGwXOitSMMtx2WmpVo4Fu7Fp1
eDYvSVChjAAAAIB6uisHso6iPMz11qbKNaHSIqIAV+7iNJZD7aeFuytLDG20Y70b4Jy4Mr4g8RH+MtAL
fyq6aTcv/g/j2DMeJjwjqLXQFbaFekmQEOfoQ6IZJ5CylthMP1PzRcR5KeCUInKj9CRkTlWLlTMk5es+
VEebIHg9SWNstkjWBLwlQhemgA== Willie@ARCATA

(For formatting purposes, I’ve included line breaks above, but don’t introduce line breaks into your public key when you paste it into authorized_keys.)

Step 3

Adjust the permissions on your .ssh directory, and on the files inside it, so that nobody else can write to them.

Step 4

Set up the SSH agent. This allows you to enter your passphrase one time per shell session instead of having to type it in every time you want to SSH to your server. Just type ssh-agent followed by ssh-add. Some people just put this in their startup script (e.g., .bash_profile). You’ll need to use eval $(ssh-agent) instead of ssh-agent if you choose to do that. You’ll have to enter your passphrase every time you open a shell, but after that you can SSH anywhere where you’ve installed your public key without having to enter your passphrase.

Post migrated from my Wheeler Software site.

Comments