How to Use RSA Key Authentication with SSH
By: Karsten M. Self
Written: Fri Aug 4, 2000
Modified: 2008/11/06 20:35:46
Allow secure, authenticated remote access, file transfer, and command execution without having to remember passwords for each individual host you connect to.
All users needing remote access or data. All platforms -- SSH is available for Linux, Unix, Windows, and Macintosh. A comprehensive list of clients is available from http://linuxmafia.com/pub/linux/security/ssh-clients.
It's the Right Thing to Do ™.
In a networked world, remote access is a reality we have to deal with. Remembering passwords to myriad systems is inconvenient at best, and leads to bad practices at worst -- shared passwords, shared accounts, and other evils -- which are a significant source of security threats.
RSA authentication is both convenient (one passphrase, or if you choose, no passphrase), allows access to many systems. Remote actions such as programs and file transfers can be automated so that you don't have to "be there" when long processes occur. If access from a specific user or host needs to be curtailed, the specific RSA key can be removed from the authorized_keys file without requiring password changes of all other users.
Where accounts must be shared, RSA authentication provides an additional audit trail and level of control over who is accessing the account. Again, if access from a specific location or user needs to be curtailed, the appropriate key can be removed from the authorized_keys list without disrupting access for other users. While this is possible, I still strongly recommend that alternative methods for privileged or shared access, such as sudo be used.
And all of this you can do in three easy steps (0 and 4 are not included in the enumeration, and 5 is right out)!
Prerequisite: the remote system needs to have ssh installed and sshd running, with RSA authentication enabled. This is the default configuration, and is typically specified with the option:
...in /etc/ssh/sshd_config. If you have problems, contact the system's administrator.
Zeroth step: You will need ssh installed on your computer. Procedures for doing this vary by Linux and/or Unix (or other OS) distribution. Refer to system documentation for details.
Create a local RSA key:
Follow the prompts, this takes a few seconds as your computer gathers entropy from the system.
You will be asked to supply a passphrase. While you can elect to choose a null passphrase. I would recommend you do supply a passphrase as it provides additional security -- your key is not useful without it. The upside is that you only have to remember this one passphrase for all the systems you access via RSA authentication. You can change the passhrase later with "ssh-keygen -p". Note that you can use ssh-agent to enable logging in with a password-protected key and not have to enter a password every time (you feed the password once with the ssh-add utility).
This is typically stored in your home directory under .ssh/id_rsa. After doing this, a directory listing of ~/.ssh should look like:
-rw------- 1 karsten karsten 528 Aug 4 21:37 id_rsa -rw-r--r-- 1 karsten karsten 332 Aug 4 21:03 id_rsa.pub -rw-r--r-- 1 karsten karsten 28106 Jul 26 16:52 known_hosts
Copy the public key id_rsa.pub to the hosts you wish to access remotely. You can do this by any method you like, one option is to use scp, naming the key to indicate your present host:
$ scp .ssh/id_rsa.pub email@example.com:local-host.ssh
e.g.: I might name a key for my host "navel" navel.ssh.
Connect to the remote host. You don't have RSA authentication enabled yet, so you'll have to use an old method such as walking up to the terminal or supplying a password. Add the new hostkey to the file .ssh/authorized_keys.
$ cat local-host.ssh >> .ssh/authorized_keys
Note the use of two right-angles ">" -- this will add the contents of local-host.ssh to a preexisting file, or create the file if it already exists.
Check the permissions of .ssh/authorized_keys, it must be as below or you won't be able to use RSA authentication:
-rw-r--r-- 1 karsten karsten 334 Aug 4 21:03 authorized_keys
And you're all set!
Test the method by logging out of the remote server and trying to connect to it via ssh:
$ ssh remote-user@remote-host
You may be prompted for your RSA key passphrase, but you won't need a remote password to connect to the host. If you are prompted for a password, or your connection is refused, something is wrong, and you'll want to refer to the troubleshooting section below.
You can repeat steps 1 - 3 for each remote host you wish to connect from.
Troubleshooting: If Something Breaks
You get to keep the pieces.
A common error is to have file permissions set wrong somewhere.
- Your .ssh directory may be writable only by you, but needs group and world read permissions.
- Your private key cannot be readable by anyone but you.
- Your public key cannot be writeable by anyone but you, but needs group and world read permissions.
...problems with any of these permissions may mean you cannot log in to a system. The permissions need to be correct at both sides of the connection. You can get diagnostics by invoking your connection with the verbose "-v" flag:
$ ssh -v remote-user@remote-host
Successful output looks like:
SSH Version OpenSSH-1.2.3, protocol version 1.5. Compiled with SSL. debug: Reading configuration data /etc/ssh/ssh_config debug: Applying options for * debug: ssh_connect: getuid 1000 geteuid 1000 anon 1 debug: Connecting to bugs.opensales.org [220.127.116.11] port 22. debug: Connection established. debug: Remote protocol version 1.5, remote software version 1.2.26 debug: Waiting for server public key. debug: Received server public key (768 bits) and host key (1024 bits). debug: Host 'bugs.opensales.org' is known and matches the host key. debug: Encryption type: 3des debug: Sent encrypted session key. debug: Installing crc compensation attack detector. debug: Received encrypted confirmation. debug: Remote: Server does not permit empty password login. debug: Trying RSA authentication with key 'karsten@angel' debug: Received RSA challenge from server. debug: Sending response to host key RSA challenge. debug: Remote: RSA authentication accepted. debug: RSA authentication accepted by server. debug: Requesting pty. debug: Requesting shell. debug: Entering interactive session.
...if you see lines indicating refusals or incorrect permissions, track down and correct the problem.
Last updated 2008/11/06 20:35:46