Tag Archives: freebsd

Public key authentication with SSH. Both with and without a password.

This article will run through quick and easy examples for setting up public key authentication with SSH. I will include one example that requires a password and one that does not. Typically used for scripts.

I will assume you know why you want to either use the one or the other. Public key authentication can only be set up on a per user/system basis, keep that in mind.

Public key authentication without a password

This the least secure option. It all boils down to how well secured your private key is. (.ssh/id_dsa)

  1. Create a key pair. (Private & public key)
  2. Copy the public key to the remote system.
  3. Log on the remote system.

Create a key pair

[user@localsystem ~]$ ssh-keygen -t dsa

Here’s what you’ll see when you run through this procedure. (“Press [ENTER]” are my comments)

[user@localsystem ~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_dsa): Press [ENTER]
Created directory '/home/usr/.ssh'.
Enter passphrase (empty for no passphrase): Press [ENTER]
Enter same passphrase again: Press [ENTER]
Your identification has been saved in /home/user/.ssh/id_dsa.
Your public key has been saved in /home/user/.ssh/id_dsa.pub.
The key fingerprint is:
29:d1:34:6c:53:2b:96:e6:ea:28:fd:c5:3a:cb:0f:65 user@localsystem
The key's randomart image is:
+--[ DSA 1024]----+
|       .o..      |
|       o+o .     |
|      ..*..      |
|       = o       |
|      . E        |
|       *         |
|   .  o o        |
|  . .+.+         |
|   ...*+.        |
+-----------------+

Copy the public key to the remote system

[user@localsystem ~]$ ssh user@remotesystem

If you don’t set the permissions in this step SSH will refuse the public key even if it’s there due to bad ownership.

[user@remotesystem ~]$ mkdir .ssh
[user@remotesystem ~]$ touch .ssh/authorized_keys
[user@remotesystem ~]$ chmod -R u=rwx,go= .ssh
[user@remotesystem ~]$ exit
scp ~/.ssh/id_dsa.pub user@remotesystem:.ssh/authorized_keys

Enter your password when asked, and you’re done.

Log on the remote system

[user@localsystem ~]$ ssh user@remotesystem

Public key authentication with password

This is the route you want to go. Once done, you should also disable logins with passwords only. Do this by editing the /etc/ssh/sshd_config file and add/modify the following parameter “PasswordAuthentication no”. Also make sure “PubkeyAuthentication” is set to “yes”.

  1. Create a key pair. (Private & public key)
  2. Copy the public key to the remote system.
  3. Log on the remote system.

Create the key pair

[user@localsystem ~]$ ssh-keygen -t dsa

Here’s what you’ll see when you run through this procedure. (“[Your Password]” and “Press [ENTER]” are my comments)

[user@localsystem ~]$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/user/.ssh/id_dsa): Press [ENTER]
Created directory '/home/usr/.ssh'.
Enter passphrase (empty for no passphrase): [Your Password]
Enter same passphrase again: [Your Password]
Your identification has been saved in /home/user/.ssh/id_dsa.
Your public key has been saved in /home/user/.ssh/id_dsa.pub.
The key fingerprint is:
29:d1:34:6c:53:2b:96:e6:ea:28:fd:c5:3a:cb:0f:65 user@localsystem
The key's randomart image is:
+--[ DSA 1024]----+
|       .o..      |
|       o+o .     |
|      ..*..      |
|       = o       |
|      . E        |
|       *         |
|   .  o o        |
|  . .+.+         |
|   ...*+.        |
+-----------------+

Copy the public key to the remote system

[user@localsystem ~]$ ssh user@remotesystem

If you don’t set the permissions in this step SSH will refuse the public key even if it’s there due to bad ownership.

[user@remotesystem ~]$ mkdir .ssh
[user@remotesystem ~]$ touch .ssh/authorized_keys
[user@remotesystem ~]$ chmod -R u=rwx,go= .ssh
[user@remotesystem ~]$ exit
scp ~/.ssh/id_dsa.pub user@remotesystem:.ssh/authorized_keys

Enter your password when asked, and you’re done.

Log on the remote system

[user@localsystem ~]$ ssh user@remotesystem

Tip

You can later change the password for your keys by using

[user@localsystem ~]$ ssh-keygen -p

// CrashMAG