Public-Key Authentication, SSH, and OS X
17 March 2004, late evening
Update: Nowadays I never make an unauthenticated key-pair. I always pick a passphrase, and use ssh-agent to avoid having to type it again and again.
Here are the steps I went through to get public-key authentication working for my ssh connection to school. What this means is that I no longer have to type a password in when I connect; the server sends a message to my machine, which I decrypt, thereby convincing the server I am who I say I am.
First, you need to generate a public/private key-pair. I had to generate a SSH1 RSA key. To do this, required the following command, ssh-keygen -t rsa1. Don’t enter a pass-phrase when prompted, save the files in the default locations with the default names. A pass-phrase is not quite needed if your home machine is secure, and it would defeat the purpose of this exercise, as we are trying to avoid typing passwords. This will produce two files, a private-key and a public-key.
Second, upload the generated public-key to the remote computer, using the command, scp identity.pub <user>@<server>:.ssh/authorized_keys. This will overwrite your authorized_keys file, if you already have one. I’m guessing you don’t, since if you did, you would already know how to do this.
Third, try connecting to your server. You shouldn’t be prompted for a password.
Now, why would you want to do this? Trust me when I say you will quickly grow sick of typing your complicated password every-time you want to do a cvs command which connects to a remote machine.
I think if you use ssh-agent when you start your X session then everything else you run in that X session will go to the agent to get the necessary password. You just tell the agent your password after you start it and then you only need to enter it once. Then you can avoid entering a password (frequently), but have slightly more security than using an empty password. I've never actually tried it though.
by Ryan on March 18 2004, 1:36 am #
Yeah, that's what ssh-agent does, but I don't really see the point. If only you have read/write/execute access on those files, logging in to your account with a password should be equally "safe" anyway.
So what finally let your stupid box ssh in? What was the problem?
by Ju-Lian on March 18 2004, 12:07 pm #
I needed to generate an RSA 1 key. So that means I had to pick the key type
rsa1, notrsa. I'm not sure why, because the school and I both use OpenSSH, they use version 3.6.2, I use 3.6.1.by ramanan on March 18 2004, 12:16 pm #
Next step: Fix your X windows tunnelling.
by Iluvitar on March 18 2004, 1:25 pm #