Configure Public Key User Authentication
Public key authentication requires both client and server configuration. Here's a quick summary of the important steps. The details are explained in the procedures that follow.
- Create a key pair on the client.
- Add a line to the client identification file (~/.ssh2/identification) that identifies the private key.
- Copy the public key to the user's directory on the server (~/.ssh2).
- Add a line to the user's authorization file (~/.ssh2/authorization) on the server that identifies the public key.
Note: To help ensure secure authentication, and prevent tampering, information leakage and spoofing, files and directories used by the client and server must be configured with correct permissions and ownership. If these conditions aren't met, Secure Shell connections and public key authentication may fail. For details, see File and Directory Permissions.
To configure public key authentication on the client
- (Optional) Modify the client's AllowedAuthentications setting.
Because public key authentication is allowed by default, this step is required only if you want to change this default. To modify the supported authentications, open the client configuration file (/etc/ssh2/ssh2_config). For example, to require public key authentication use:
- Generate a public/private key pair using the ssh-keygen utility.
For example, the following command creates a default (2048-bit RSA) key pair (mykey and mykey.pub) in the current working directory. You are prompted to enter a passphrase during the key creation process. If you provide a passphrase, you will need to use it whenever you authenticate using this key.
The next example uses -P to create a key that is not passphrase-protected. This option is less secure, but may be desirable for use with scripts and batch files. The -t specifies key type (DSA in this example). Because no key name is specified, the key is created using a default name and location, ($HOME/.ssh2/id_dsa_1024_myhost_a for this example, where myhost is the system's host name as returned by the hostname command).
ssh-keygen -P -t dsa
- Create (or edit) the client identification file. The default name and location for this file is ~/.ssh2/identification. Configure this file for user-only write access (600 is recommended).
- In the identification file, add a line for the private key you just created. The format for key entries is IdKey, followed by the private key name. For example:
Note: If no path information is provided, the client looks for listed keys in ~/.ssh2/.
To configure public key authentication on the server
- (Optional) Modify the server's AllowedAuthentications or RequiredAuthentications settings.
Because public key authentication is allowed by default, this step is required only if you want to change the default settings. To modify the supported authentications, open the server configuration file (/etc/ssh2/sshd2_config). For example, to require public key authentication, use:
- Copy the client public key to the user-specific configuration directory on the server. The default location is ~/.ssh2.
- Create (or edit) the key authorization file for this user on this server. This file contains a list of the keys the server accepts for user authentication. The default name and location is ~/.ssh2/authorization. Configure this file for user-only write access (600 is recommended).
- In the authorization file, add a line for the public key you just copied. The format for key entries is Key followed by the public key name. For example:
Any listed key can be used by the server for user authentication. Keys are assumed to be in the user-specific configuration directory (by default, ~/.ssh2/) unless you specify an absolute path. If the key presented by the client doesn't match any of the keys listed in the authorization file, public key authentication fails.