Notice! This document is currently in Archived status.
The content of this document may be incorrect or outdated.

Print this article Edit this article

SSH: Replacing .rhosts Authentication With a Key-Pair

Introduction

On December 18, 2002, ECN installed OpenSSH version 3.5p1 over the previous OpenSSH version 3.4p1. In the process, the new version of SSH was installed without root privileges. Without the root privileges, SSH cannot log on to an account without asking for authentication if the authentication was using a .rhosts file in the home directory of the account.

Since .rhosts is no longer possible, this document will describe how to set up an alternate form of authentication based on public and private encryption keys.

Step By Step Instructions

In order to authenticate using public and private keys, perform the following steps:

  1. Create a key-pair on the client workstation.
  2. Add the public-key of the key-pair on the server.
  3. Test logging on to the server from the client.

Create a key-pair on the client workstation

From the client workstation, create a key-pair using the ssh-keygen command. This command will compute a key-pair and deposit the key-pair into the .ssh directory. To do this, enter the following command.

It is very important to use a passphrase when creating the key-pair!

titanic.ecn.purdue.edu% ssh-keygen -trsa -b4096
Generating public/private rsa key pair.
Enter file in which to save the key (/home/titanic/a/cstest/.ssh/id_rsa): press enter
Enter passphrase (empty for no passphrase): enter passphrase
Enter same passphrase again: enter passphrase
Your identification has been saved in /home/titanic/a/cstest/.ssh/id_rsa.
Your public key has been saved in /home/titanic/a/cstest/.ssh/id_rsa.pub.
The key fingerprint is:
37:f8:3d:e7:b1:75:9c:70:4f:6f:16:0c:72:72:bb:51 cstest@titanic.ecn.purdue.edu
titanic.ecn.purdue.edu%

Add the public-key of the key-pair on the server

From the server, add the public key to the list of keys authorized to use the account. This is similar the .rhosts file, but instead of listing the host-user pairs that are authorized to log on to the server account, a different file called .ssh/authorized_keys is used. Each line in the .ssh/authorized_keys lists the public-keys that are authorized to log on to the server account. Then only those users have a copy of the key-pair will be authorized to use the server account. There can be multiple public keys listed in the file.

titanic.ecn.purdue.edu% slogin pier
cstest@pier's password: UNIX password
Last login: Sat Dec 14 08:33:21 2002 from titanic.ecn.pur
SunOS pier.ecn.purdue.edu 5.8 Generic_108528-15 sun4u sparc SUNW,Ultra-4


--> LOCAL NEWS <--
pier.ecn.purdue.edu% cd .ssh
pier.ecn.purdue.edu% scp titanic:.ssh/id_rsa.pub new-key
cstest@titanic's password: UNIX password
id_rsa.pub 100% |*****************************| 411 00:00
pier.ecn.purdue.edu% cat new-key >>authorized_keys
pier.ecn.purdue.edu% ^D
Connection to pier closed.
titanic.ecn.purdue.edu%

Test logging on to the server from the client

Test to see that key-pair authentication is working. This time when logging on to the server, instead of prompting for the UNIX password, ssh will prompt for the passphrase used to encrypt the private key of the key-pair. If the right passphrase is entered, the server ought to authorize the log-on because (1) it knows that the public-key is allowed access by being listed in the .ssh/authorized_keys file, and (2) that the client ssh program knew the private key.

titanic.ecn.purdue.edu% slogin pier
Enter passphrase for key '/home/titanic/a/cstest/.ssh/id_rsa': enter passphrase
Last login: Mon Jan 6 13:10:32 2003 from titanic.ecn.pur
SunOS pier.ecn.purdue.edu 5.8 Generic_108528-15 sun4u sparc SUNW,Ultra-4


--> LOCAL NEWS <--
pier.ecn.purdue.edu%

And more...

This shows the basic set up going from one workstation to another server using the same account. The .ssh/authorized_keys can list the public-keys coming from any workstation or account, or from UNIX or Windows client computers. It is also possible to use the ssh-agent program to so that one entry of the passphrase can allow multiple invocations of ssh during the same session. See the ssh manual pages for more information.

To use the ssh-agent, type

eval `ssh-agent`

followed by

ssh-add .ssh/id_rsa

 

Last Modified: Oct 14, 2020 2:25 pm America/New_York
Created: Nov 6, 2007 1:56 pm US/Eastern by admin
JumpURL: