Public key authentication in SSH

Contents

1. Setup of public key authentication with SSH protocol version 2. (Update 2004/3/3)
2. Setup of public key authentication with SSH protocol version 1.
3. To confirm ssh server host
4. Single sign-on using ssh-agent (Update 2014/3/7)

Setup of public key authentication with SSH protocol version 2.

On client host, make a key pair.

[lune]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/monkey/.ssh/id_dsa): ( just_push_enter_key )
Enter passphrase (empty for no passphrase): your_passphrase_will_no_be_displayed
Enter same passphrase again: your_passphrase_will_no_be_displayed
Your identification has been saved in /home/monkey/.ssh/id_dsa.
Your public key has been saved in /home/monkey/.ssh/id_dsa.pub.
The key fingerprint is:
b7: fb:40:35:86:55:52:97:ae:e7:0e:4f:15:af:d8:ff monkey@lune.kek.jp
[lune]$



With OpenSSH 3.1/2.5.2, also RSA is available; "ssh-keygen -t rsa"
With OpenSSH 2.1.1, the command is "ssh-keygen -d".
With OpenSSH 3.1/2.5.2, also "ssh-keygen -d" is available.



Copy the public key to the server host. On the server host, put the key into "authorized_keys2" file.
[lune]$ scp id_dsa.pub soleil:.ssh

[soleil]$ cd .ssh
[soleil]$ cat id_dsa.pub >> authorized_keys2
[soleil]$ chmod 600 authorized_keys2


Requirements.
• Home directory and .ssh directory: write permission for group should be off. (OpenSSH_3.5 and later)

Now public key authentication will be available.
[lune]$ ssh soleil
Enter passphrase for key '/home/monkey/.ssh/id_dsa': your_passphrase_will_no_be_displayed


If not works.
• Check /var/log/secure of a server host.
• Get trace of a connection with "-v" option and check the log.
  $ ssh -v remote_host





Setup of public key authentication with SSH protocol version 1.

On client host, make key pair.

[lune]$ ssh-keygen
Generating public/private rsa1 key pair.
Enter file in which to save the key (/home/monkey/.ssh/identity): just_push_enter_key
Enter passphrase (empty for no passphrase): your_passphrase_will_no_be_displayed
Enter same passphrase again: your_passphrase_will_no_be_displayed
Your identification has been saved in /home/monkey/.ssh/identity.
Your public key has been saved in /home/monkey/.ssh/identity.pub.
The key fingerprint is:
cf: 9b:53:14:da:77:74:0a:d4:f5:6c:1f:9b:f3:52:12 monkey@lune.kek.jp
[lune]$


Copy the key to the server host. On the server host, put the key into "authorized_keys2" file.
[lune]$ scp identity.pub soleil: .ssh

[soleil]$ cat identity.pub >> authorized_keys
[soleil]$ chmod 600 authorized_keys


Now public key authentication will be available.
[lune]$ ssh -1 soleil
Enter passphrase for RSA key 'monkey@lune.kek.jp': your_passphrase_will_no_be_displayed







To confirm ssh server host

At the first time to connect a new host, the following warning will be displayed.

[lune]$ ssh soleil
The authenticity of host 'soleil (127.0.0.1)' can't be established.
RSA key fingerprint is 68: 76:f1:5c:4d:fa:53:51:07:b7:10:1f:17:9b:95:8b.
Are you sure you want to continue connecting (yes/no)?

Before entering "yes", confirm the finger print of the remote host, by E-mail or ....


On the otherhand, if you are a manager of ssh-server host, and if you are asked but you've forgotten the fingerprint,
you can get the value with the following command.

# ssh-keygen -l
Enter file in which the key is (/home/monkey/.ssh/identity): /etc/ssh/ssh_host_dsa_key

or

# ssh-keygen -l
Enter file in which the key is (/home/monkey/.ssh/identity): /etc/ssh/ssh_host_rsa_key

or so on.




Single sign-on using ssh-agent

1. Supported version:
   
   Openssh 2.5.2 or later (protocol 2 and 1)
   Openssh 2.1.1 (protocol 1)
   
   
   
2. First to do
   
   • Create a public key pair on the local desktop or the laptop machine.
     
   • Copy the public key to the remote machines, put it in ~/.ssh/authorized_keys.
     
   • Modify configuration file on the local machine and remote machines.
     $ cd ~/.ssh
     $ cp /etc/ssh/ssh_config ./config
     Edit config, change the values of FowardAgent and ForwardX11 parameter to yes.
     
   • Make sure "AllowTcpForwarding" is "yes" (maybe dafault value) in /etc/ssh/sshd_config.
   
   
3. Starting ssh-agent
   
   $ eval `ssh-agent`
   $ ssh-add
   
   After this, ssh-agent helps ssh login.
   
4. Third paty copy.
   
   $ scp soleil:filename etoile:
   or
   $ ssh soleil "scp filename etoile:"
   Without ssh-agent, "-t" option is required.
   $ ssh -t soleil "scp filename etoile:"
   
   
5. Chain login without entering password.
   
   $ ssh soleil
   $ ssh etoile
   
   
   
6. File transfer from outside of FW to inside via DMZ host.
   
   $ dd if=file | ssh lune dd | ssh soleil dd of=newfile
   $ tar cf - target | ssh lune dd | ssh soleil tar xf -
   
   
   
7. Comments on configuration.
   
   • In lune:/etc/ssh/ssh_config, when "ForwardAgent yes" is included,
     [lune]$ ssh soleil ==> [soleil]$ ssh etoile .....public key will be forwarded.
     
     Otherwise password will be required.
     
     
   • In lune:/etc/ssh/ssh_config, when "ForwardX11 yes" is included,
     [lune]$ ssh soleil ==> X11 clients such as xterm are available.
     

---

History

2004/10/22	Added File transfer from outside of FW to inside via DMZ host.