How to configure OpenSSH to use SSH keys for authentication instead of a password.
Server is running openssh
To enable logging in, without a password, on machine "remote" from machine "local",
in both cases as user "pete", using openssh:
- On the local machine:
- Ensure that you can connect to the remote machine and the other way around, with the help of your passwords.
pete@local pete $ ssh remote
pete@remote's password:
pete@remote pete $ ssh local
pete@local's password:
pete@local pete $ exit
pete@remote pete $ exit
pete@local pete $ - Generate a private/public key pair in the ssh directory $HOME/.ssh This program asks for
- The name of the file to save the key in. Just hit
<enter>
. - A passphrase. Just hit
<enter>
.
( Such a key pair needs to be created only once. Hence this step can be skipped if you want to connect to further remote hosts from this local machine.)
pete@local pete $ cd .ssh
pete@local .ssh $ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/pete/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/pete/.ssh/id_dsa.
Your public key has been saved in /home/pete/.ssh/id_dsa.pub.
The key fingerprint is:
... [email protected] - The name of the file to save the key in. Just hit
- Copy the public key to the remote machine. The target name (local.pub in the example) is not important (unless it overwrites something).
pete@local .ssh $ scp id_dsa.pub remote:local.pub
pete@remote's password:
id_dsa.pub 100% |************************************************| 610
- Ensure that you can connect to the remote machine and the other way around, with the help of your passwords.
- On the remote machine: append the public key for pete@local to $HOME/.ssh/authorized_keys2.
pete@local pete $ ssh remote
pete@remote's password:
pete@remote pete $ cat local.pub >>.ssh/authorized_keys2
pete@remote pete $ rm local.pub
pete@remote pete $ exit
pete@local pete $ - Now you should be able to login from the local to the remote machine without being prompted for a password.
pete@local pete $ ssh remote
pete@remote pete $
Server is running another ssh implementation
Here we assume that local uses openssh while remote uses some other ssh implementation.
- Generate a public/private key pair on local as shown above.
- Convert /home/pete/.ssh/id_dsa.pub to the format expected by other ssh2 implementations.
pete@local pete $ cd $HOME
pete@local pete $ mkdir .ssh2 # if it doesn't exist yet
pete@local pete $ ssh-keygen -e -f .ssh/id_dsa.pub > .ssh2/id_dsa.pub - Copy the .ssh2 version to remote (first ensure that your home directory on remote has a .ssh2 subdirectory). Use a name (on remote) that reflects the local machine, e.g. local_id_dsa.pub in the example.
pete@local pete $ ssh remote
pete@remote's password:
pete@remote pete $ mkdir .ssh2 # if it doesn't exist yet
pete@remote pete $ exit
pete@local pete $ scp .ssh2/id_dsa.pub remote:.ssh2/local_id_dsa.pub
pete@remote's password:
scp: warning: Executing scp1.
local_id_dsa.pub 100% |***********************************************************| 725 00:00 - On remote: announce that .ssh2/local_id_dsa.pub is an authorized public key. Ssh uses a slightly different system than openssh: instead of appending the public key to authorized_keys2, you add a reference to .ssh2/local_id_dsa.pub in the file .ssh2/authorization.
pete@local pete $ ssh remote
pete@remote's password:
pete@remote pete $ echo "Key local_id_dsa.pub" >> .ssh2/authorization
pete@remote pete $ exit
pete@local pete $ - Now you should be able to login from the local to the remote machine without being prompted for a password.
pete@local pete $ ssh remote
pete@remote pete $