This document tells you why you would want to use ssh with public-key authentication and shows you how to configure it for use on the USU RS/GIS Unix machines.
Ssh can use a public/private key encryption pair to authenticate you. The public key is freely available to anyone, while the private key is secret and readable only by you. When you logon to a machine with public-key authentication, the server uses the public/private key pair along with your passphrase to unambiguously identify you. This is much more secure than traditional login/password authentication because someone would have to steal your passphrase AND your private key before they could crack your account.
Public-key authentication also allows you to login to other machines without having to type any password or passphrase. This is really nice if you get tired of typing your password all the time.
First you need to choose a passphrase to protect your private key. You can use the same string as your login password, but it's better to use something different. After you choose a passphrase, you need to generate your public/private key pair like this:
pfarrall@space$ ssh-keygen2 Generating 1024-bit dsa key pair 11 o.oOo.oOo..o Key generated. 1024-bit dsa, pfarrall@space, Tue Aug 07 2001 17:12:00 Passphrase : Again : Private key saved to /home/pfarrall/.ssh2/id_dsa_1024_b Public key saved to /home/pfarrall/.ssh2/id_dsa_1024_b.pub
It will take a minute or so to generate you key, after which you'll be prompted for you passphrase. Type in the passphrase and you're done generating your keys.
Now you need to install the keys. Type the following commands to do this.
pfarrall@space$ echo "IdKey id_dsa_1024_a" >> ~/.ssh2/identification pfarrall@space$ echo "IdKey id_dsa_1024_a.pub" >> ~/.ssh2/authorization
That's it. You're ready to use public-key authentication when you ssh to any Sun workstation on the RS/GIS network. Now when you ssh to another machine you'll be prompted for your private key passphrase instead of your login password. This makes your account harder to hack into which is a good thing.
This is the real reason for using public-key encryption. Normally, when you ssh to another machine you have to type in your password or passphrase. With public-key encryption though you can tell your computer to remember your passprase and you can login to any machine without being prompted for a password or passphrase. You just go right in. To do this you need to run a tool called the ssh-agent. This tool stores your private key in memory. Here's how to start it.
pfarrall@space$ ssh-agent2 $SHELL pfarrall@space$ ssh-add2 Adding identity: /home/pfarrall/.ssh2/id_dsa_1024_a.pub Need passphrase for /home/pfarrall/.ssh2/id_dsa_1024_a (1024-bit dsa, pfarrall@space, Tue Aug 07 2001 16:45:49). Enter passphrase: pfarrall@space$
Now you can connect to another machine without any password
pfarrall@space$ ssh torridon Last login: Tue Aug 07 2001 17:31:08 from torridon Sun Microsystems Inc. SunOS 5.8 Generic February 2000 You have mail. pfarrall@torridon$