A painting of me

Public-Key Authentication, SSH, and OS X

   17 March 2004, early evening

Update: Nowadays I never make an unauthenticated key-pair. I always pick a passphrase, and use ssh-agent to avoid having to type it again and again.

Here are the steps I went through to get public-key authentication working for my ssh connection to school. What this means is that I no longer have to type a password in when I connect; the server sends a message to my machine, which I decrypt, thereby convincing the server I am who I say I am.

First, you need to generate a public/private key-pair. I had to generate a SSH1 RSA key. To do this, required the following command, ssh-keygen -t rsa1. Don’t enter a pass-phrase when prompted, save the files in the default locations with the default names. A pass-phrase is not quite needed if your home machine is secure, and it would defeat the purpose of this exercise, as we are trying to avoid typing passwords. This will produce two files, a private-key and a public-key.

Second, upload the generated public-key to the remote computer, using the command, scp identity.pub <user>@<server>:.ssh/authorized_keys. This will overwrite your authorized_keys file, if you already have one. I’m guessing you don’t, since if you did, you would already know how to do this.

Third, try connecting to your server. You shouldn’t be prompted for a password.

Now, why would you want to do this? Trust me when I say you will quickly grow sick of typing your complicated password every-time you want to do a cvs command which connects to a remote machine.



  1. I think if you use ssh-agent when you start your X session then everything else you run in that X session will go to the agent to get the necessary password. You just tell the agent your password after you start it and then you only need to enter it once. Then you can avoid entering a password (frequently), but have slightly more security than using an empty password. I've never actually tried it though.

  2. Yeah, that's what ssh-agent does, but I don't really see the point. If only you have read/write/execute access on those files, logging in to your account with a password should be equally "safe" anyway.

    So what finally let your stupid box ssh in? What was the problem?

  3. I needed to generate an RSA 1 key. So that means I had to pick the key type rsa1, not rsa. I'm not sure why, because the school and I both use OpenSSH, they use version 3.6.2, I use 3.6.1.

  4. Next step: Fix your X windows tunnelling.

Don't be shy, you can comment too!

Some things to keep in mind: You can style comments using Textile. In particular, *text* will get turned into text and _text_ will get turned into text. You can post a link using the command "linktext":link, so something like "google":http://www.google.com will get turned in to google. I may erase off-topic comments, or edit poorly formatted comments; I do this very rarely.