Home
 

Customer Support

Search for keywords:

Browse by category:

How do I get ssh to authenticate me via public/private keypairs instead of by password?

Use ssh-keygen on your local system to generate public and private keys. If your local system runs Windows, you can use Cygwin's ssh-keygen program.

There are two types of keys that can be created using ssh-keygen, DSA and RSA. Simply put, they are two different types of encryption. Because the construction of DSA was private in nature and RSA was not, many feel that RSA is a more secure standard because of the public scrutiny in the creation of it.

The method for creating either key is very similar.

The following method is to create SSH keys. It is important to hit ENTER twice when prompted for passphrase for the keys, so that no passphrase is generated (this is required for WinCVS users).

To create an RSA key use: ssh-keygen
To create a DSA key use: ssh-keygen -t dsa

The steps listed below are used to create a DSA key. The only differences between the creation of the keys are the output file (id_rsa.pub or id_dsa.pub) and the file stored on the remote server (authorized_keys2 for DSA and authorized_keys for RSA keys).

Here is a sample screencopy of what generating keys looks like:

$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /your/local/system/home
Your public key has been saved in /your/local/system/home
The key fingerprint is:
some:unique:hex:codes you@your.local.hostname

Now login to the remote system here and make sure in your home directory there is a subdirectory named: .ssh (include the period '.' before the 'ssh'). You may need to create this directory. To see the file, you will need to type:
ls -al
The .ssh directory should be chmod 700, which looks like this in the first column of a detailed file listing:
-rwx------

If those are not the permissions on the .ssh dir, then set them by typing:
chmod 700 .ssh

Now take the id_dsa.pub (or id_rsa.pub) file (your public key) that you generated with ssh-keygen on your local system, and copy it to the .ssh directory on the remote system here, renaming the file authorized_keys2 (or authorized_keys for rsa).

You can copy it in various ways, such as screencopying the contents of the file on your local system and editting a new file on the remote system, pasting and saving. Or you could ftp the file to the remote system and then rename it. If your local system is some kind of unix, the easiest thing is to scp it, or use a combination of cat and ssh like this typed all on one line:

$ scp id_dsa.pub youruser@ftp.modwest.com:/.ssh/authorized_keys2

or this:

$ cat id_dsa.pub | ssh youruser@ftp.modwest.com 'cat - >> ~/.ssh/authorized_keys2'

Once it is uploaded to the remote system, the authorized_keys2 (authorized_keys) file should be chmod 600, which looks like this in the first column of a detailed file listing:
-rw-------

If those are not the permissions on the authorized_keys2 (authorized_keys) file, then set them by typing:
chmod 600 /.ssh/authorized_keys2

At this point you should be able to login to the remote system via ssh without being prompted for a password.

User-Contributed Notes

add a note
29-Aug-2002 15:16 
Generating keys using PuTTY didn't seem to work. Generating them with
Cygwin's ssh-keygen instead worked fine. The key should have no
passphrase, otherwise you'll still be prompted for a password.
greg -at- reliabledesigns.com
24-Sep-2002 21:01 
It is possible to use keys with passwords (without having to input the
password every time), if you are ssh'ing from a linux/unix box.

See the bash script "keychain" and the information on ssh-agent at
http://www-106.ibm.com/developerworks/library/l-keyc2/
07-Apr-2003 14:32 
An article discussing ssh'ing between servers using only public/private
keypairs, and no passwords, is here:

http://www.devshed.com/Server_Side/Administration/Tunnelling/page3.html
user -at- example.com
30-Apr-2003 15:11 
I failed with PuTTY but succeeded with CygWin.  Run CygWin setup to tell
it where to look for your private key, then go back to the CygWin shell
prompt and type
ssh yourusername@modwest.com
30-Apr-2003 18:33 
CygWin is a Unix emulator for Windows.

I successfully used it to connect via ssh after more user-friendly
alternatives didn't work for me. 

To get public/private key files, I ran ssh-keygen under Cygwin, then
uploaded the public file to /.ssh/authorized_keys2 (as recommended
elsewhere on these support pages).  I also ran CygWin setup to tell it
where I was keeping my private key.

Then all I had to do was return to the CygWin prompt and do:

    ssh myusername@modwest.com 

and I was in.
11-Dec-2003 14:38 
Could successfully populate a CVS repository with PuTTY and WinCvs using
the
excellent notes at anders.fix.no/cvs/wincvs-ssh.
Only one glitch, notes mention file authorized_keys, one must use
authorized_keys2
Regards
user -at- example.com
28-Jan-2005 14:25 
For the time being, CVS only users cannot use authenticated key pairs to
login.  They will have to type their password.
08-Mar-2005 17:07 
Since the SSH1 protocol is not used anymore, you don;t need to call your
file "authorized_keys2" anymore (signifyign SSH2 protocol). You can call
the file just "authorized_keys" now.
17-Oct-2006 21:40 
Suppose you need multiple people coming from multiple different hosts to
be able to get into a single account using ssh keys.

Each person follows the first part of this FAQ to generate a public and
private key pair (if they don't have one already). 

Then only the first person creates the file "/.ssh/authorized_keys2" by
following the 2nd half of the instructions in this FAQ.

Everyone else will just copy the contents of their own id_dsa.pub file
from their local computer and paste it on a new line into the
authorized_keys2 file that is on the server.

Each line of the authorized_keys2 file on the server will be very long
and look similar to:

    ssh-dss AKJHSHS/verylongline== some-user@local-hostname

Each line in the authorized_keys2 file on the server corresponds to a
user who can get into the account from a remote host. The remote user's
remote username and remote hostname are printed at the end of each line.

If you have 10 users that can get into the account, the file will have
10 lines in it, each one filled with an individual's public key info.

william.knight -at- gmail.com
19-May-2008 22:27 
Using ssh-keygen from Cygwin worked for me as well. As mentioned in a
previous note, you can still use it with a passphrase and get remote
access by using ssh-agent. Having key pairs without a passphrase doesn't
seem like a good idea to me.

Use ssh-agent to start a new bash session, and then do ssh-add to enter
your passphrase only once at the start of the session:

$ssh-agent bash
$
...(you're in a new subshell now)
$ssh-add
(prompts for passphrase)
$
...
$ssh user@shell.modwest.com
(should get in without prompts)
remote$
...(do stuff in remote shell)
remote$exit
$
...
(do stuff in local shell)
...
$ssh user@shellmodwest.com
(should get in without prompts again)
remote$

and so on...
add a note

Related Questions:


What is a good SSH or Telnet program for me to use?

How do I change the timezone for my account?

Do you support SCP?

Can I use gcc or a compiler?

How do I run a script in a restricted shell?

How can I make Pico my default editor instead of Vi?

Do I get a shell with my account?

What if I need a certain program installed in my bin?

Can I have Emacs?

Can I have Eggdrop or run some other bot or daemon?

How can I kill off my processes on the shell server?

Do I get root access?

Browse Categories:

Getting Started, FTP, Telnet/SSH, Moving Domains, E-mail, Traffic Reports, Mailing Lists, Apache, PHP, CGI, Other Server-Side Scripting, MySQL Database, Imaging Libraries, Other Software, Billing & Terms, Control Panel, E-commerce, Pre-Sales


Tiny Modwest Logo         Copyright 2000-2008 by Modwest, Inc.          About Us    |    Blog    |    Jobs    |    Web Design    |    Contact Us