SPY HILL Research
Spy-Hill.com

Poughkeepsie, New York [DIR] [UP]

Using Public Key Authentication with SSH


Public key authentication is more secure than simple password exchange for authentication. Public key authentication can also be used to allow you to log-in over a dial-up line without having to present a password, even though you may never have the same IP address (as, for example, using ppp).
Last updated: 26 April 2006

Public Key Authentication is based on Public Key encryption, (or "asymetric key encryption"). Here is a rough idea of how it works: You first generate a pair of encryption keys, the "public" key and the "private" key. Messages encrypted with the private key can only be decrypted by the public key, and vice-versa. You keep your private key on your local machine, and put the public key in a list of authorized hosts on the remote machine. When you attempt to log-in to the remote host it sends you a brief message, encrypted with your public key. If you can decrypt the message (and you send back some proof that you have done so) then that proves that you must possess the private key, and you are allowed in. See the ssh manual page for further details.


Unix Set-up:

Here is how to set things up to use public key authentication with ssh on Unix:
  1. Enter the command
    % ssh-keygen -t dsa
    to generate a public/private pair of DSA keys. (Here "% represents the Unix prompt and is not part of the command.) They will be put in your directory ~/.ssh/ , though you will be asked to approve or change this location. You can say "rsa" if you prefer an RSA key.

    When you generate the keys you will be asked for a "pass phrase". A pass phrase is like a password, but it can be longer than a simple password. (Remember, Unix login passwords are only 8 characters long!) If you use a pass phrase then you will have to enter it each time you use the keys for authentication. That is, you will have to type in the pass phrase everytime you log in, just as you would with a password.

    If you don't enter a pass phrase (just press the RETURN key) then you will be allowed to log-in without having to enter a pass phrase. This is slighly less secure, but it can be really useful!

    The private key is in a file called id_dsa, while the public key is in a file called id_dsa.pub.

  2. Copy the public key to the remote host you wish to access and add it to the file authorized_keys in your ~/.ssh/ directory. (If that file does not exist then you should create it.)

    Anybody listed in the authorized_keys file (via their public key) is allowed to log-in, provided that they can prove that they possess the corresponding private key. Thus if you have the private key in your .ssh/ directory on your home machine you'll be allowed in.


Key Security

It is really useful to be able to log-in without having to type a pass phrase, but there is an extra security risk involved. If someone is able to obtain a copy of your private key (the file ~/.ssh/id_dsa), and it is not protected with a pass phrase, then they can use it to impersonate you and log-in to the remote host. In contrast, if you also use a pass phrase then the private key is of no use to them. The private key is itself encrypted using the pass phrase and cannot be used unless decrypted using the correct pass phrase. The point of all this is:

BE SURE TO PROTECT YOUR PRIVATE KEYS!

Non-Unix clients

SSH client programs on other operating systems, such as NiftyTelnet for MacOS 9, are not able to generate public/private key pairs. But that's not much of a problem. You can still run ssh-keygen on a Unix machine and then copy both the public and private keys to the appropriate places, and public key authentication from that client will work just fine!  

  Copyright © 2006 by Spy Hill Research http://www.Spy-Hill.com/myers/help/PublicKey.html (served by Islay.spy-hill.com) Last modified: 26 April 2006