Using public-key SSH

Instead of typing your password every time you SSH to Yallara or Numbat from home, you can configure SSH to use a public/private-key pair to authenticate instead. This is particularly handy if you're using CVS, since it tends to prompt for a password every time you commit or update.

These instructions are for people using Linux, Cygwin or Mac OS X at home.

Note: These instructions require you to modify important configuration files that could prevent you logging in if not followed correctly. Do not proceed unless you are sure you know what you are doing.

The basic structure of what we do is:

  1. Create a public/private key pair for yourself
  2. Keep the private key encrypted on your home computer
  3. Copy the public key into your Yallara/Numbat home directory
  4. Whenever you SSH from Sutherland to Yallara/Numbat, the keys will be found and authenticated, and you will be asked only for the private key password.
  5. Use ssh-agent to remember this private key password so you only need enter it once.

The exact steps are as follows. See the man pages of ssh, ssh-agent and ssh-keygen for details.

  1. On your home computer, open a terminal (or Cygwin on Windows) and generate a public/private key pair:
    ssh-keygen -t dsa -f ~/.ssh/id_dsa
    When asked for a passphrase, give a good password; this is used to encrypt your private key. The private key is stored in ~/.ssh/id_dsa, the public key in ~/.ssh/id_dsa.pub.
  2. Copy the public key to somewhere in Yallara (temporarily):
    scp ~/.ssh/id_dsa.pub yallara.cs.rmit.edu.au:~/
  3. SSH into Yallara now and add the public key to your list of authorized keys:
    ssh yallara.cs.rmit.edu.au
    yallara.cs.rmit.edu.au% cat id_dsa.pub >> ~/.ssh/authorized_keys
    yallara.cs.rmit.edu.au% logout

At this stage if you try to log into Numbat or Yallara from home you should only be prompted for your private key password. Check that this is so; if not, you have done something wrong.

The next step is to set up ssh-agent to remember your private key password so you need only enter it when you log in. This is kept in memory, not disk, and is considered secure. You don't have to use ssh-agent if you didn't specify a password for your private key (in which case you should take lots of precautions to make sure your home computer is secure).

Mac OS X users can download and use SSHKeychain, which integrates ssh-agent with Keychain.

There are many ways to use ssh-agent, see the references below and the man page for more information. The setup described below is a simple one that should suffice for Linux users, and may work with Cygwin (untested):

  1. At home, create a ~/.login file with the following text (assuming you use csh or a derivative; if you use bash see the references below):
    set sshAgent=/usr/bin/ssh-agent set sshAgentArgs="-c" set tmpFile=exportAgentEnv if ( -x "$sshAgent" ) then if ( ! $?SSH_AUTH_SOCK ) then $sshAgent $sshAgentArgs | head -2 > $tmpFile source $tmpFile rm $tmpFile endif endif
    This starts ssh-agent every time you log in.
  2. Create a ~/.logout file to ensure your passwords are erased from memory when you logout (again, see references for a bash example if required):
    if ( $?SSH_AGENT_PID ) then ssh-add -D kill $SSH_AGENT_PID unset SSH_AGENT_PID unset SSH_AUTH_SOCK endif

When you have logged into your home computer, type:

ssh-add

and when prompted, enter your private key password. Now you should be able to SSH Yallara or Numbat without typing a password.

References

Using ssh-agent with ssh
This is the source of the csh examples above for ssh-agent. More details and bash examples are given here.
Public-key cryptography
Description and background of public-key cryptography, if you are unfamiliar with how it works.

The following references were used in a previous version of this guide, which was tailored for the SSH2 installation on Yallara (which has since been replaced by OpenSSH).

SSH/SSH2 No-password authentication
Excellent guide on getting OpenSSH and SSH2 to interoperate.
How to get OpenSSH and SSH2 systems to interoperate
An example from another university of getting OpenSSH (Linux) and SSH2 (Solaris) to cooperate

Valid XHTML 1.0 Valid CSS