In SSH and SSH2 for Unix, how do I set up public key authentication?

Note: This document assumes that you are using OpenSSH on the client and remote computers (this is generally the case on the UITS central systems at Indiana University). If you are using a different SSH version such as that available from SSH Communications Security, the process outlined below may not be correct.

Public key authentication is an alternative security method to using passwords. To use public key authentication, you must create two files: a public key and a private key. Your public key is distributed to host computers you log into. This allows you to log in or transfer files without having to send a password to the remote host.

To set up public key authentication in SSH or SSH2 for Unix, do the following:

1. Create a public and private key pair for the protocol you want to use. To create a key pair for use by SSH2, enter: ssh-keygen -t dsa

   To create a key pair for use by SSH, enter:

   ssh-keygen -t rsa1

   Note: For security reasons, UITS strongly recommends using SSH2 when available instead of SSH.

   You will be prompted to supply a file in which to save the key and a passphrase. You may alternatively press Enter through each of these prompts. If you do so, the key generation program will assume that you wish to use the default file name of id_dsa and your private key will not be protected by a password.

   Note: UITS strongly recommends that you enter a password when generating a public and private key pair. If you choose not to use a password, anyone who gains access to your private key can authenticate to your account without a password.

   The key generation program will create a private key in a file with the name you specified and a public key with the same name, plus a .pub extension.

2. Copy your public key to the remote host by entering: scp ~/.ssh/filename.pub hostname:

   Replace hostname with the name of the remote host and filename.pub with the name of file containing your public key (this will end in the .pub extension).

3. Connect to the remote host using your password for authentication. If the authorized_keys file doesn't exist, create it with the following commands: mkdir -p ~/.ssh touch ~/.ssh/authorized_keys

   If the directory and file do exist, running these commands will not damage them.

4. On the remote host, add your public key to the authorized_keys file, with the following command: cat ~/filename.pub >> ~/.ssh/authorized_keys

   Replace filename.pub with the name of the file containing your public key (this will end in the .pub extension).

5. If you want, you can now delete the public key file from your account on the remote host by entering the following: rm ~/filename.pub

   If you would prefer to keep a copy of this file in your account, you can move it to the .ssh subdirectory by entering:

   mv filename.pub ~/.ssh/

   In both cases, replace filename.pub with the name of the file containing your public key.

Note: Follow steps 2-5 for each remote host you want to log into using public key authentication.

The next time you make an SSH or SSH2 connection to the remote host, you will be prompted for the password for your private key (if you supplied one). This password is not sent to the remote host. If you did not supply a password for your private key, you will not receive a request for a password when connecting to the remote host.

At Indiana University, for personal or departmental Linux or Unix systems support, see At IU, how do I get support for Linux or Unix?

Comments/Questions/Corrections