Doc /

Public/private key authentification with ssh

<-Back

Create keys

Go to the client, the account you want to use. Generate a key (if none exist already). If you want to use theses keys within scripts, or don't have to type the passphrase each time, do not enter any passphrase (leave it blank), but if so do not share the private keys. Remote user can be root.

    $ mkdir -p ~/.ssh  If it doesn't already exist
    $ chmod 700 ~/.ssh
    $ cd ~/.ssh
    $ ssh-keygen -t dsa #rsa may be a bit better

This gives you a pair of keys in the .ssh folder, one id_dsa (or rsa) private (do not disclose or share), one id_dsa.pub (or rsa), public key you can share to be identified.

Copy the public key to the remote host

Best way is to use

 ssh-copy-id -i /home/<user>/.ssh/id_dsa.pub <remote-user>@server-name

This will copy the public key to the remote server, creating the folders and files accordingly if necessary. You can also do this manually with scp.

Try connection from the client to the server with ssh, you should be prompted to the passphrase in place of the password (or not prompted if there is no passphrase).

Alternative way (full manual):

    $ scp -p id_dsa.pub remoteuser@remotehost:
    Password: ********

Log into the remote host and install the public key:

    $ ssh -l remoteuser remotehost
    Password: ********
    remotehost$ mkdir -p ~/.ssh If it doesn't already exist
    remotehost$ chmod 700 ~/.ssh
    remotehost$ cat id_dsa.pub >> ~/.ssh/authorized_keys  (Appending)
    remotehost$ chmod 600 ~/.ssh/authorized_keys
    remotehost$ mv id_dsa.pub ~/.ssh Optional, just to be organized
    remotehost$ logout

Log back in via public-key authentication:

    $ ssh -l remoteuser remotehost
    Enter passphrase for key '/home/smith/.ssh/id_dsa': ********

When you are sure it works, disable login with password

In /etc/ssh/sshd.conf,

  1. Change to no to disable tunnelled clear text passwords

PasswordAuthentication no