Posted October 7, 2009 by Spyros in Linux Tips

How to Setup Your SSH Keys For Authentication


SSH, the Secure SHell, is actually a great network protocol used to transmit data between two devices on a network. There are several tools that can be used in order to transfer that data. One of them is the very well known telnet that many people tend to use. The problem about telnet is that it transmits data unencrypted, meaning that an eavesdropper that sniffs network data will be able to find out the connection password (and more) very easily.

SSH resembles telnet in the sense that it is used to get a remote shell but has a very important advantage and that is encryption. Since it uses public key cryptography as a means of authentication and encrypts the communication of the two ends, it really presents a pretty secure medium. A standard feature of SSH is that it asks the connecting user for a password whenever they try to communicate with the other end.

The good thing is that it is relatively easy to configure our client to authenticate itself to the other end using a private key that we create. The first thing that you need to do, of course, is install OpenSSH, the well known platform that contains the various SSH related tools that we need. Use your favorite package manager to do so. I tend to use Debian mainly and so in my case, the command to install it is :

apt-get install openssh

After OpenSSH is installed on both machines, the next step is to create our private/public keys on our client system. The idea is that our client that connects to our server will have our private key and the server will have the public key. When the client tries to connect to that server, he will be authenticated via this public key using its own private key. If the client does not have a private key, it will be asked for a password. So, let’s create our key pair :

ssh-keygen -t dsa

After the execution of this command you will be asked for a passphrase. Make sure that you use a pretty good one because if somebody guesses your password, SSH has absolutely no further use. After the command executes, you will be presented with two new files in your ~/.ssh directory. These will be named like id_dsa and id_dsa.pub.

The next step is to copy the id_dsa.pub file (which is the public key) to your server. A good and easy way to do that is use the command scp (secure copy) that once again uses SSH for seure transfer. You have to copy the public key to your server’s ~/.ssh directory under the name authorized_keys. Do that using scp this way :

scp ~/.ssh/id_dsa.pub hthought@domain.com:~/.ssh/authorized_keys

This will copy the public key to hthought’s .ssh folder at the computer with the ip resolved by domain.com. A last but important thing to do is give the appropriate permissions to the .ssh files of both the server and the client using chmod :

chmod 600 ~/.ssh/*

Make Sure That The Server Allows for Key Authentication

If when you try to login you are still asked for a password by the shell, there is a possibility that the OpenSSH server is not configured to allow key authentication. Take a quick look at the server configuration file at /etc/sshd_config or /etc/ssh/sshd_config for that :

PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

Most probably this will be your default configuration file options but if not, change them so that public key authentication works fine. After the change do not forget to restart the server using (for Debian):

/etc/init.d/sshd start

Hopefully this will enable you to go back and create your keys so that you can now login to your remote systems safely using ssh and without needing to retype your password each time.