Configure Public Key User Authentication
Public key authentication requires both client and server configuration. Here's a quick summary of the important steps. The details are explained in the procedures that follow.
- Create a key pair on the client.
- Add a line to the client identification file ($HOME/.ssh2/identification) that identifies the private key.
- Copy the public key to the user's directory on the server ($HOME/.ssh2).
- Add a line to the user's authorization file ($HOME/.ssh2/authorization) on the server that identifies the public key.
To configure public key authentication on the client
- (Optional) Modify the client's AllowedAuthentications setting.
Because public key authentication is allowed by default, this step is required only if you want to change this default. To modify the supported authentications, open the client configuration file (/etc/ssh2/ssh2_config). For example, to require public key authentication use:
- Generate a public/private key pair using the ssh-keygen utility.
For example, the following command creates a default (2048-bit RSA) key pair (mykey and mykey.pub) in the current working directory. You are prompted to enter a passphrase during the key creation process. If you provide a passphrase, you will need to use it whenever you authenticate using this key.
The next example uses -P to create a key that is not passphrase-protected. This option is less secure, but may be desirable for use with scripts and batch files. The -t specifies key type (DSA in this example). Because no key name is specified, the key is created using a default name and location, ($HOME/.ssh2/id_dsa_1024_myhost_a for this example, where myhost is the system's host name as returned by the hostname command).
ssh-keygen -P -t dsa
- Create or edit the client identification file.
The default name and location for this file is $HOME/.ssh2/identification. The identification file contains a list of one or more private keys held by a client user. Any listed key can be used by the client for user authentication. If more than one key is listed, the client tries the first key in the list, then continues trying the other keys in order. If no path information is provided, the client looks for listed keys in $HOME/.ssh2/. The format for key entries is IdKey, followed by the private key name. For example:
To configure public key authentication on the server
- (Optional) Modify the server's AllowedAuthentications or RequiredAuthentications settings.
Because public key authentication is allowed by default, this step is required only if you want to change the default settings. To modify the supported authentications, open the server configuration file (/etc/ssh2/sshd2_config). For example, to require public key authentication, use:
- Copy the client public key to the user-specific configuration directory on the server. The default location is $HOME/.ssh2.
- Create or edit the key authorization file for this user on this server. The default name and location for this file is $HOME/.ssh2/authorization.
This file contains a list of the keys the server accepts for user authentication. Add a line for the public key you just copied. The format for key entries is Key followed by the public key name. For example:
Any listed key can be used by the server for user authentication. Keys are assumed to be in the user-specific configuration directory (by default, $HOME/.ssh2/) unless you specify an absolute path. If the key presented by the client doesn't match any of the keys listed in the authorization file, public key authentication fails.