Friday, November 11, 2011

OpenSSH Public Key Authentication

Secure SHell is awesome. I think it is one of the most valuable, yet taken for granted tools in Sysadmin's arsenal. This post is about Public Key Authentication, a feature that makes remote access of multiple systems not only faster, but also more secure.

I won't talk about how public keys work. If you don't know it yet, you could learn more here. The point is, I use Public Key Authentication (PKA) very often, on all types of OS, to connect to a large variety of hosts. So here are my preferred ways to set it up.

On Unix / Linux / Mac OS X with OpenSSH

Generate your key pair with:

ssh-keygen -t rsa -b 4096 -C "sergei@MacBookPro"

Argument -t specifies the type of key you're creating (go with RSA), -b is the encryption level (I'm doubling the default value here), -C adds a comment to the public key (now it's easy to ID my key on the remote host).

After some time you'll be prompted for keys name / location and the passphrase. Make the phrase a long one if you want good security, it stops bad people from using your key. A sentence or two from a song / poem / story you like, with punctuation and capitalization will make it more secure, and more memorable, than randomly generated password.

In some special cases you can just hit "Enter" for password-less key. Less secure, but very useful for some automated tasks.

By default, private and public keys id_rsa and respectively, should now be inside .ssh directory in your current user's home directory.

Append contents of your public key into the authorized_keys file in the remote host's .ssh directory with either:

cat ~/.ssh/ | ssh 'cat >> .ssh/authorized_keys'

or, if ssh-copy-id is available on your system, with:


On Windows with PuTTY

puttygen.exe utility from the excellent PuTTY suite will allow you to generate private and public keys keyname.ppk and Note: PuTTY saves public key in SSH-2 format, but it will also give you the OpenSSH format version. Run the utility and do the following:
  1. select "SSH-2 RSA" as type of key to generate
  2. enter 4096 in the "Number of bits in a generate key field"
  3. click "Generate" button

PuTTYgen will start generating your key. Move your mouse in random manner over the blank area until the bar is full.

Now to finalize your key:
  1. enter your key comment
  2. enter your strong passphrase (or leave it empty if required)
  3. save a copy of your private and/or public key (in SSH-2 format) to some secure location
  4. Right click, "Select all" and copy your public key (in OpenSSH format) to append it to authorised_keys file on remote host

You can now configure a PuTTY session to use your private key, or load it automatically on start up with Pageant.

And done...

You should now be able to log into your remote machine using public key authentication.

Sometimes this won't work if your your home directory, your .ssh. directory, and other related files are group- or world-writable. If you're getting a "Permission denied (publickey)" error, try doing the following on your remote host:

chmod go-w ~/
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys

For more information check out these helpful links: