SSH: Replacing .rhosts Authentication With a Key-Pair

by Curtis Smith

Introduction

On December 18, 2002, ECN installed OpenSSH version 3.5p1 over the previous OpenSSH version 3.4p1. In the process, the new version of SSH was installed without root privileges. Without the root privileges, SSH cannot log on to an account without asking for authentication if the authentication was using a .rhosts file in the home directory of the account.

Since .rhosts is no longer possible, this document will describe how to set up an alternate form of authentication based on public and private encryption keys.

Step By Step Instructions

In order to authenticate using public and private keys, perform the following steps:

  1. Create a key-pair on the client workstation.
  2. Add the public-key of the key-pair on the server.
  3. Test logging on to the server from the client.

Create a key-pair on the client workstation

From the client workstation, create a key-pair using the ssh-keygen command. This command will compute a key-pair and deposit the key-pair into the .ssh directory. To do this, enter the following command.

It is very important to use a passphrase when creating the key-pair!

titanic.ecn.purdue.edu% ssh-keygen -trsa -b2048
Generating public/private rsa key pair.
Enter file in which to save the key (/home/titanic/a/cstest/.ssh/id_rsa): press enter
Enter passphrase (empty for no passphrase): enter passphrase
Enter same passphrase again: enter passphrase
Your identification has been saved in /home/titanic/a/cstest/.ssh/id_rsa.
Your public key has been saved in /home/titanic/a/cstest/.ssh/id_rsa.pub.
The key fingerprint is:
37:f8:3d:e7:b1:75:9c:70:4f:6f:16:0c:72:72:bb:51 cstest@titanic.ecn.purdue.edu
titanic.ecn.purdue.edu% 

Add the public-key of the key-pair on the server

From the server, add the public key to the list of keys authorized to use the account. This is similar the .rhosts file, but instead of listing the host-user pairs that are authorized to log on to the server account, a different file called .ssh/authorized_keys2 is used. Each line in the .ssh/authorized_keys2 lists the public-keys that are authorized to log on to the server account. Then only those users have a copy of the key-pair will be authorized to use the server account. There can be multiple public keys listed in the file.

titanic.ecn.purdue.edu% slogin pier
cstest@pier's password: UNIX password
Last login: Sat Dec 14 08:33:21 2002 from titanic.ecn.pur
SunOS pier.ecn.purdue.edu 5.8 Generic_108528-15 sun4u sparc SUNW,Ultra-4


                               --> LOCAL NEWS <--
pier.ecn.purdue.edu% cd .ssh
pier.ecn.purdue.edu% scp titanic:.ssh/id_rsa.pub new-key
cstest@titanic's password: UNIX password
id_rsa.pub           100% |*****************************|   411       00:00    
pier.ecn.purdue.edu% cat new-key >>authorized_keys2
pier.ecn.purdue.edu% ^D
Connection to pier closed.
titanic.ecn.purdue.edu% 

Test logging on to the server from the client

Test to see that key-pair authentication is working. This time when logging on to the server, instead of prompting for the UNIX password, ssh will prompt for the passphrase used to encrypt the private key of the key-pair. If the right passphrase is entered, the server ought to authorize the log-on because (1) it knows that the public-key is allowed access by being listed in the .ssh/authorized_keys2 file, and (2) that the client ssh program knew the private key.

titanic.ecn.purdue.edu% slogin pier
Enter passphrase for key '/home/titanic/a/cstest/.ssh/id_rsa': enter passphrase
Last login: Mon Jan  6 13:10:32 2003 from titanic.ecn.pur
SunOS pier.ecn.purdue.edu 5.8 Generic_108528-15 sun4u sparc SUNW,Ultra-4


                               --> LOCAL NEWS <--
pier.ecn.purdue.edu% 

And more...

This shows the basic set up going from one workstation to another server using the same account. The .ssh/authorized_keys2 can list the public-keys coming from any workstation or account, or from UNIX or Windows client computers. It is also possible to use the ssh-agent program to store the private-key so that multiple invocations of ssh can execute without reprompting for the passphrase. See the ssh manual pages for more information.

Last modified: 2007/11/06 13:56:2.895000 US/Eastern by
Created: 2007/11/06 13:56:2.895000 US/Eastern by brian.r.brinegar.1.

Categories

Search

Type in a few keywords describing what information you are looking for in the text box below.

Admin Options: Edit this Document