SSH: Replacing .rhosts Authentication With a Key-Pair
On December 18, 2002, ECN installed OpenSSH version 3.5p1 over the previous OpenSSH version 3.4p1. In the process, the new version of SSH was installed without root privileges. Without the root privileges, SSH cannot log on to an account without asking for authentication if the authentication was using a .rhosts file in the home directory of the account.
Since .rhosts is no longer possible, this document will describe how to set up an alternate form of authentication based on public and private encryption keys.
Step By Step Instructions
In order to authenticate using public and private keys, perform the following steps:
- Create a key-pair on the client workstation.
- Add the public-key of the key-pair on the server.
- Test logging on to the server from the client.
Create a key-pair on the client workstation
From the client workstation, create a key-pair using the ssh-keygen command. This command will compute a key-pair and deposit the key-pair into the .ssh directory. To do this, enter the following command.
It is very important to use a passphrase when creating the key-pair!
titanic.ecn.purdue.edu% ssh-keygen -trsa -b2048 Generating public/private rsa key pair. Enter file in which to save the key (/home/titanic/a/cstest/.ssh/id_rsa): press enter Enter passphrase (empty for no passphrase): enter passphrase Enter same passphrase again: enter passphrase Your identification has been saved in /home/titanic/a/cstest/.ssh/id_rsa. Your public key has been saved in /home/titanic/a/cstest/.ssh/id_rsa.pub. The key fingerprint is: 37:f8:3d:e7:b1:75:9c:70:4f:6f:16:0c:72:72:bb:51 firstname.lastname@example.org titanic.ecn.purdue.edu%
Add the public-key of the key-pair on the server
From the server, add the public key to the list of keys authorized to use the account. This is similar the .rhosts file, but instead of listing the host-user pairs that are authorized to log on to the server account, a different file called .ssh/authorized_keys2 is used. Each line in the .ssh/authorized_keys2 lists the public-keys that are authorized to log on to the server account. Then only those users have a copy of the key-pair will be authorized to use the server account. There can be multiple public keys listed in the file.
titanic.ecn.purdue.edu% slogin pier cstest@pier's password: UNIX password Last login: Sat Dec 14 08:33:21 2002 from titanic.ecn.pur SunOS pier.ecn.purdue.edu 5.8 Generic_108528-15 sun4u sparc SUNW,Ultra-4 --> LOCAL NEWS <-- pier.ecn.purdue.edu% cd .ssh pier.ecn.purdue.edu% scp titanic:.ssh/id_rsa.pub new-key cstest@titanic's password: UNIX password id_rsa.pub 100% |*****************************| 411 00:00 pier.ecn.purdue.edu% cat new-key >>authorized_keys2 pier.ecn.purdue.edu% ^D Connection to pier closed. titanic.ecn.purdue.edu%
Test logging on to the server from the client
Test to see that key-pair authentication is working. This time when logging on to the server, instead of prompting for the UNIX password, ssh will prompt for the passphrase used to encrypt the private key of the key-pair. If the right passphrase is entered, the server ought to authorize the log-on because (1) it knows that the public-key is allowed access by being listed in the .ssh/authorized_keys2 file, and (2) that the client ssh program knew the private key.
titanic.ecn.purdue.edu% slogin pier Enter passphrase for key '/home/titanic/a/cstest/.ssh/id_rsa': enter passphrase Last login: Mon Jan 6 13:10:32 2003 from titanic.ecn.pur SunOS pier.ecn.purdue.edu 5.8 Generic_108528-15 sun4u sparc SUNW,Ultra-4 --> LOCAL NEWS <-- pier.ecn.purdue.edu%
This shows the basic set up going from one workstation to another server using the same account. The .ssh/authorized_keys2 can list the public-keys coming from any workstation or account, or from UNIX or Windows client computers. It is also possible to use the ssh-agent program to store the private-key so that multiple invocations of ssh can execute without reprompting for the passphrase. See the ssh manual pages for more information.
Last modified: 2015/04/21 11:14:57.260179 GMT-4 by
Created: 2007/11/06 13:56:2.895000 US/Eastern by brian.r.brinegar.1.
Type in a few keywords describing what information you are looking for in the text box below.