Indiana University
University Information Technology Services
  
What are archived documents?
Login>>
Login

Login is for authorized groups (e.g., UITS, OVPIT, and TCC) that need access to specialized Knowledge Base documents. Otherwise, simply use the Knowledge Base without logging in.

Close

In SSH and SSH2 for Unix, how do I set up public key authentication?

Note: The information in this document assumes you are using OpenSSH on the local and remote systems (this is generally the case on the UITS central systems at Indiana University). If you are using a different SSH version, such as one available from Tectia, the process outlined below may not be correct.

Public key authentication is an alternative security method to using passwords. To use public key authentication, you must generate both a public and a private key (i.e., a key pair). You store your public key on the remote hosts on which you have an accounts. Your private key stays on the computer you use to connect to those remote hosts. This method allows you to log into those remote hosts, and transfer files to them, without using your account passwords.

To set up public key authentication in SSH or SSH2 for Unix:

  1. On the computer you'll use to access the remote host, generate a key pair for the protocol you want to use:

    • To create a key pair for SSH2, enter: ssh-keygen -t dsa
    • To create a key pair for SSH, enter: ssh-keygen -t rsa1

    Note: For security reasons, UITS strongly recommends using SSH2 instead of SSH whenever possible.

  2. You will be prompted to supply a filename (for saving the key pair) and a password (for your private key). If you press Enter or Return through each of these prompts, the key generation program will assume:

    • You want to use the default filename (e.g., id_dsa for SSH2).
    • You do not want to password-protect your private key.

    Note: UITS strongly recommends using a password to protect your private key. If your private key is not password protected, another person can conceivably access your computer and then connect to your account on the remote host (where your public key is saved) without entering a password.

  3. The key generation program will create the key pair, including:

    • A private key that has the filename you specified (e.g., filename) or the default filename (e.g., id_dsa)
    • A public key that has the same filename with a .pub extension added (e.g., filename.pub or id_dsa.pub)

  4. Use SCP to copy your public key file (e.g., filename.pub) to your account on the remote host (e.g., dvader@deathstar.com). To do so, enter: scp ~/.ssh/filename.pub dvader@deathstar.com:
  5. Log into the remote host using your account username and password. If your account doesn't already contain a ~/.ssh/authorized_keys file, create one. To do so, use the following commands: mkdir -p ~/.ssh touch ~/.ssh/authorized_keys

    Note: If your account already has ~/.ssh/authorized_keys, executing these commands will not damage the existing directory or file.

  6. On the remote host, add your public key (e.g., filename.pub) to the ~/.ssh/authorized_keys file; at the command line, enter: cat ~/filename.pub >> ~/.ssh/authorized_keys
  7. You may now safely delete the public key file (e.g., filename.pub) from your account on the remote host. To do so, at the command prompt, enter: rm ~/filename.pub

    If you prefer to keep a copy of your .pub file (e.g., filename.pub) on the remote host, move it to the .ssh directory. To do so, at the command prompt, enter:

    mv filename.pub ~/.ssh/

Note: Follow steps 4-7 for each remote host on which you want to use public key authentication.

The next time you use SSH or SSH2 on the computer that has your private key to connect to a remote host that has your public key:

  • If you supplied a password when generating your private key, the remote host will prompt you for your private key password.

    Note: Your private key password is not transmitted to the remote host.

  • If you did not supply a password when generating your private key, the remote host will not prompt you for a password.

At Indiana University, for personal or departmental Linux or Unix systems support, see At IU, how do I get support for Linux or Unix?

This document was developed with support from National Science Foundation (NSF) grant OCI-1053575. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the NSF.

This is document aews in domains all and xsede-all.
Last modified on April 18, 2013.

I need help with a computing problem

  • Fill out this form to submit your issue to the UITS Support Center.
  • Please note that you must be affiliated with Indiana University to receive support.
  • All fields are required.



Please provide your IU email address. If you currently have a problem receiving email at your IU account, enter an alternate email address.

I have a comment for the Knowledge Base

  • Fill out this form to submit your comment to the IU Knowledge Base.
  • If you are affiliated with Indiana University and need help with a computing problem, please use the I need help with a computing problem section above, or contact your campus Support Center.