Generating RSA keys for SSH authorization On a UNIX system
This Document is designed to illustrate how to generate RSA keys to allow a passwordless login or authentication via SSH on a UNIX or Linux system.
Initial Key Generation
- Run ssh-keygen :
zyzgy:/home/dogbert> ssh-keygen Initializing random number generator... Generating p: .++ (distance 8) Generating q: .++ (distance 8) Computing the keys... Key generation complete. Enter file in which to save the key (/home/dogbert/.ssh/identity):
- Press the "Enter" or "Return" key
- For the next 2 prompts, enter the passphrase you want to use. (for passwordless authentication, press the "Enter" or "Return" key)
Enter passphrase: Enter the same passphrase again: Your identification has been saved in /home/dogbert/.ssh/identity.
- Now you get your public key to copy to the server or servers.
Your public key is: 1024 33 111168944114597374487887117441784173176539915928847841801074617059136044 18112027958045436692822448639026002614546220685078910491334727877707050658001885 33054562010657605452745257654005607173223787815937358915376670760862014949354781 17010986666777176404809146568040040324385084912146975575625139603544199861431 do gbert@zyzgy Your public key has been saved in /home/dogbert/.ssh/identity.pub
Logging on and copying the public key to the server
- Logon to the remote host
zyzgy:/home/dogbert> ssh worldlet Host key not found from the list of known hosts. Are you sure you want to continue connecting (yes/no)? yes Host 'worldlet' added to the list of known hosts. dogbert@worldlet's password: Last login: Thu Mar 30 12:08:52 2000 from world.domination.org (worldlet) Slackware Linux, Installed Tue Mar 21 12:58:45 MST 2000 No mail. you are user dogbert /dev/pts/4 worldlet:/worldlet/dogbert>
- Cut and paste the key from the original host into the file ~/.ssh/authorized_keys
Once you've copied the key, you can logoff and relogon to test the key. The output should look like a normal ssh session except without a form of dogbert@worldlet's password: prompt.
If you entered a passphrase when generating the RSA key you will get a prompt similar to the one below :
Enter passphrase for RSA key 'dogbert@zyzgy':
Recreating the RSA key or creating additional RSA key pairs :
- Run ssh-keygen :
- At the following prompt, Press the "enter" or "Return" key to recreate the key and get the prompt in Step #3.
Enter file in which to save the key (/home/dogbert/.ssh/identity):
- If you are creating a new, additional pair (for a private key to copy to another system, like a macintosh) enter in the new prefix name for the pair (like for the Macintosh, identity.macos). If no path is specified with the name, (Example: Mac-files/identity.macos )the pair will be placed in your home directory
Answer y to the following prompt :
/home/dogbert/.ssh/identity already exists. Overwrite (y/n)?
- If you recreated the key, you must replace the public RSA key in every server's .ssh/authorized_keys file you connected to (from this system) with the contents of your new ~/.ssh/identity.pub file.
If you created an additional RSA key pair and subsequently skipped step #3, you need to :
- Copy the private RSA key (the one without the .pub extension Example: identity.macos) to the host you wish to connect from in the appropiate directory for that system (For example, the NiftyTelnet? directory on a Macintosh or the ~/.ssh/ directory on another UNIX system)
- Copy the contents of the public key (the .pub file with the same prefix as the private key file Example: identity.macos.pub) into the ~/.ssh/authorized_keys file of every server you wish to connect to using the private RSA key of the pair. (cat identity.macos.pub >> ~/.ssh/authorized_keys)
Additional Notes :
The encryption key must be copied to ~/.ssh/authorized_keys on the SERVER machine, (the one you are connecting to) in order to authenticate. This can be done either by cutting and pasting the key into the file, or by copying the ~/.ssh/identity.pub file from the LOCAL host (where you connecting from) to the SERVER, and annotating it to ~/.ssh/authorized_keys (cat identity.pub >> .ssh/authorized_keys)