After my last article dealing with ssh I thought I’d write about another feature that comes in handy. Most people who use ssh probably authenticate by using a password. This is not so bad – unlike with FTP for example, where the password is transmitted plaintext, any password that you send while logging in via ssh will be encrypted. But passwords aren’t the only way to login, and they’re arguably not the most secure either.
The idea behind public key authentication is pretty straightforward. You generate a pair of cryptographic keys, one public and one private. Your public key is then placed in a specific location on the server that you wish to connect to. When you try to connect, your client proves that it has access to the private key that matches the public key located on the server and you’re logged in. The most obvious cool thing about public key authorization is that you don’t have to enter a password, you’re authenticated automatically via your key. In addition to that, you’re a bit safer from potential attacks (IP or DNS spoofing, for example) that could trick you into sending your password straight to the attacker.
To set up public key authentication, you’ll need to do the following:
- Generate a public/private key pair – these can be generated using ssh-keygen on linux/OS X or puttygen.exe on Windows
- Place your public key on the server you’re going to connect to
Generating your keys on Windows
- Download and run puttygen.exe (link above)
- Click the Generate button inside the Actions section and follow the prompts
- Once the key is generated, click the Save public key and Save private key buttons and save them somewhere you can access them easily. Your public key can be saved in a regular .txt file, while your private key needs to be saved in a .ppk file to be used by PuTTY. Adding a passphrase is not necessary, but make sure to keep your ppk file somewhere secure.
Generating your keys on linux or OS X
This is even simpler than it is on Windows. All you have to do is run ssh-keygen. That’s it. The defaults are fine, so you don’t even have to specify any options on the command-line. Your public and private keys will be saved in ~/.ssh/id_rsa.pub and ~/.ssh/id_rsa respectively.
Using your keys to authenticate
The first thing you’ll need to do is ssh into the target server, logging in with your password normally. Once you’re in, you’ll want to create the file ~/.ssh/authorized_keys (if it’s not already there) and add your public key to it. Just paste the whole thing in all in one line.
If you’re using PuTTY on Windows, you’ll need to go into the Connection > SSH > Auth menu and in the Private key file for authentication box put in the path to your ppk file. Under Connection > Data set Auto-login username to your username on the remote system. Now save your session with this set up so that you don’t have to do it every time.
If you’re on linux or OS X, you shouldn’t have to do anything special. As long as your username is the same on your local machine and the box that you’re connecting to you’ll be fine. If they’re different, you’ll have to use ssh user@host to connect.
Once you connect you should find yourself logged in without having to enter a password. :)
Cool introduction! I really like the SSH tunnels writeup, too.
I started an apparent maelstrom a while back because I published something about SSH key auth, and a bunch of bloggers replied and wrote other stuff. If I get a chance this week, I’ll bring it up again and point to your tunnel article.
Hey Matt,
I took a peek at your article, it’s pretty cool. There are definitely some interesting things you can do by matching different public keys to different commands in the authorized_keys file. I’ve used that stuff in a few Subversion set ups. I’ll be following along with your thread :)