≡ Menu

Comprehensive Guide for SSH2 Key based authentication setup

I explained previously how to Perform SSH and SCP without entering password on openSSH. In this article, I’ll explain how to setup the key based authentication on SSH2 and perform SSH/SCP without entering password using the following 10 steps.
1. Verify that the local-host and remote-host are running SSH2. Please note that ssh and scp is a symbolic link to ssh2 and scp2 respectively as shown below.

[local-host]$ ls -l /usr/local/bin/ssh /usr/local/bin/scp
lrwxrwxrwx  1 root root 4 Mar 10 22:04 /usr/local/bin/scp -> scp2
lrwxrwxrwx  1 root root 4 Mar 10 22:04 /usr/local/bin/ssh -> ssh2
[local-host]$ ssh -V
ssh: SSH Secure Shell 3.2.9.1 (non-commercial version) on i686-pc-linux-gnu

[remote-host]$ ls -l /usr/local/bin/ssh /usr/local/bin/scp
lrwxrwxrwx  1 root root 4 Mar 10 22:04 /usr/local/bin/scp -> scp2
lrwxrwxrwx  1 root root 4 Mar 10 22:04 /usr/local/bin/ssh -> ssh2
[remote-host]$ ssh -V
ssh: SSH Secure Shell 3.2.9.1 (non-commercial version) on i686-pc-linux-gnu


2. Generate key-pair on the local-host using ssh-keygen2. Typically ssh-keygen will be a soft-link to the ssh-keygen2 as shown below.

[local-host]$ ls -l /usr/local/bin/ssh-keygen
lrwxrwxrwx  1 root root 11 Mar 10 22:04 /usr/local/bin/ssh-keygen -> ssh-keygen2

[local-host]$ ssh-keygen
Generating 2048-bit dsa key pair
2 oOo.oOo.oOo.
Key generated.
2048-bit dsa, jsmith@local-host, Sat Jun 21 2008 23:10:20 -0700
Passphrase :<Enter the passphrase>
Again      :
Private key saved to /home/jsmith/.ssh2/id_dsa_2048_b
Public key saved to /home/jsmith/.ssh2/id_dsa_2048_b.pub

The public key and private key are stored in .ssh2 folder under your home directory. In this example, it is under /home/jsmith/.ssh2. You should not share the private key with anybody.

By default the ssh-keygen2 generates DSA key pair. You can also generate RSA key pair using: ssh-keygen -t rsa command.
3. Giver proper permission to the .ssh2 directory as shown below.

[local-host]$ chmod 755 ~/.ssh2/
[local-host]$ chmod 644 ~/.ssh2/id_dsa_2048_b.pub
[local-host]$ chmod 644 ~/.ssh2/authorization

4. Identify the private-key on the client machine. On the local-host, add the private key to the SSH2 identification file as shown below. If the identification file not present, create a new file. If the file is present, append the private key file-name that is generated from the above step to the identification file in the “IdKey {private-key file-name}” format as shown below.

[local-host]$ cat /home/jsmith/.ssh2/identification
IdKey id_dsa_2048_a
IdKey id_dsa_2048_b

5. Copy the public key to remote-host.

Copy the /home/jsmith/.ssh2/id_dsa_2048_b.pub file from the local-host to the remote-host /home/jsmith/.ssh2/id_dsa_2048_b.pub.  You can perform a vi /home/jsmith/.ssh2/id_dsa_2048_b.pub on the remote-host and copy the content of the public key from the local-host.

[remote-host]$ cat /home/jsmith/.ssh2/id_dsa_2048_b.pub
---- BEGIN SSH2 PUBLIC KEY ----
Subject: jsmith
Comment: "2048-bit dsa, jsmith@local-host, Sat Jun 21 2008 23:10:\
20 -0700"
BCDEB3NzaC1kc3MAAAEBAMNH6MnHGNzNcuXWuQrGljZsObQq5SknOpLOreXq2GVeSIspX0
S1q7W63VGVDBD9ZVvZzg3UhzsPp6m/WPS53QAxlpQvTLCepipl1LILeOZRnYw+xXzEGgqa
HggXhTy7Z1BMtB1dSlXT2Q1gdvRkvZ0hmlMXH0ktj7U81lKEkzYj8E/E1PZIJsBHAXbYms
q7ftNTd7Gf1mSfbWIG7NIyOZ4i2qSZpQayuvB3MFQXy8lz25NGVq18zoFV4THtzV6ABvHL
IJXEObZUgdUXJXQg49oeXvE6tyaqSUU7tUbp06ZgI/BcFGmbk9FDoC5gy30S5RBPpAJ5II
vsfksnJRt+8R0AAAAVAJcTY6u2Em0Eo5I7X6yL1W+Di+rpAAABAELiJqtn2flgjA926TQk

3af14zSGFHut5kZjsMKUf+3Jj3p5MTiWVglgwWYLXcrG258l5GVPzdgF2d7Z9Bu1RUsdBo
rU5LURvF1cZqC5V+9PD6hlH1iYuULUIbAaIfH6SXuk2KwQ/pEh1Q+lXUj6cCfLwe+yLcvZ
YKLGdi2MvurUKmVRik3RpaB9wcuKbLjkp1rFZGr9skDAc2hYfpM0uF+6UEz6LXWKIvLJeO
Iro6VL3MkJTxXb/Xu5/77TrT+Iz8+5cbALM3EdBOlJa1HcpPXnSKakB3Wo/Ljzf41GZPc/
Y6u09soNsnAHdv9y9gMhj1054sPwNCEJAy4eaWWsqkMAAAEBAL6eolWH4AGuB2/lPu79B0
ufgaU6BQfxED7rItf/lDhtsfHl77u6URxwQzvSV2CNJJ17WkdQoJmGfTVoSduNXOAgkQJU
woB1ALzUfugbzLVxMXWUlmoQjvyoo4G9LMDdyP5qCbFXKsqkpY16N9xcUap5PgmcoF+dCv
+hTjcC6f8j+BOy7zHYfyBnPGgSjKph9gjHyBEZiujPNkNmDXM+Mz7YeEd5HCtt1p55SBv6
wyePMAjf40ty7xcakj0Gk8c52W5yFwQjJw5EvruYW2s/1eNDXIY1IJOQKlUgOEQfon99a/
8NO0BWLNiSCNdr3uHFkr68jeusASRWWvfxYU6uZ9c=
---- END SSH2 PUBLIC KEY ----

6. Create authorization file on the remote-host as shown below. This autorization file should contain the name of the public key that was copied from local-host to remote-host as mentioned in the previous step. Please note that the format of this file is “Key {public-key file-name}“.

[remote-host]$ cat /home/jsmith/.ssh2/authorization
Key id_dsa_2048_b.pub

7. Login from the local-host to remote-host using the SSH2 key authentication to verify whether it works properly.

[local-host]$ ssh -l jsmith remote-host <You are on local-host here>
Passphrase for key "/home/jsmith/.ssh2/id_dsa_2048_b" with comment "2048-bit dsa, jsmith@local-host, Sat Jun 21 2008 23:10:20 -0700": <Enter your passphrase here>
Last login: Sat Jun 21 2008 23:13:00 -0700 from 192.168.1.102
No mail.
[remote-host]$ <You are on remote-host here>

There are two ways to perform ssh and scp without entering the password:

  1. No passphrase. While creating key pair, leave the passphrase empty. Use this option for the automated batch processing. for e.g. if you are running a cron job to copy files between machines this is suitable option. You can skip the next step steps for this method.
  2. Use passphrase and SSH Agent. If you are using ssh and scp interactively from the command-line and you don’t want to use the password everytime you perform ssh or scp, I don’t recommend the previous option (no passphrase), as you’ve eliminated one level of security in the ssh key based authentication. Instead, use the passphrase while creating the key pair and use SSH Agent to perform ssh and scp without having to enter the password everytime as explained in the steps below.

8.  Start the SSH Agent on local-host to perform ssh and scp without having to enter the passphrase several times.

[local-host]$ ssh-agent $SHELL

9. Load the private key to the SSH agent on the local-host.

[local-host]$ ssh-add
Adding identity: /home/jsmith/.ssh2/id_dsa_2048_b.pub
Need passphrase for /home/jsmith/.ssh2/id_dsa_2048_b (2048-bit dsa, jsmith@local-host, Sat Jun 22 2008 23:10:20 -0700).
Enter passphrase: <Enter your passphrase here>

10. Perform SSH or SCP to remote-home from local-host without entering the password.

[local-host]$<You are on local-host here>

[local-host]$ ssh -l jsmith remote-host
Last login: Sat Jun 07 2008 23:03:04 -0700 from 192.168.1.102
No mail.
<ssh did not ask for passphrase this time>
[remote-host]$ <You are on remote-host here>

Please leave your comments and feedback regarding this article. If you like this post, I would really appreciate if you can subscribe to The Geek Stuff.

Add your comment

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

Comments on this entry are closed.

  • Siddharth June 26, 2008, 1:30 am

    Looks like you are a great coder 😉

  • Ajay June 26, 2008, 3:24 am

    this blog content is perfect for a software developer
    can pariticipate with you in this blog to share my Microsoft technologies exp.

  • narendra.s.v June 26, 2008, 7:31 am

    this is what my bro(may be love this) is look for! thanks for the share

  • Ramesh June 26, 2008, 9:44 am

    @Siddharth,

    Thanks for the nice compliment. Linux is one of my passion and I’ve done intensive work on it.

    @Ajay,

    I’ll get in touch with you to figure out the details of how you can write articles about microsoft technologies at the geek stuff.

    @Narendra,

    I’m glad this guide was helpful for you.

  • Anonymous July 15, 2008, 11:16 pm

    the permissions should be 700 instead of 744 and 600 instead of 644
    easier to send the public key with ssh-copy-id
    example: ssh-copy-id -i .ssh/id_dsa.pub user@host
    then try it:
    ssh user@host

  • Frank Foehrenbach April 8, 2009, 9:58 am

    In step 5, you change the name of the file when you copy it. Is there a reason for this or was this just a typo? Thanks for this info. It was helpful. I will be subscribing to your website.

    5. Copy the public key to remote-host.

    Copy the /home/jsmith/.ssh2/id_dsa_2048_b.pub file from the local-host to the remote-host /home/jsmith/.ssh2/id_dsa_1024_b.pub. You can perform a vi /home/jsmith/.ssh2/id_dsa_1024_b.pub on the remote-host and copy the content of the public key from the local-host.

  • Ramesh April 10, 2009, 5:01 pm

    @Anonymous,

    Thanks for your feedback. I also wrote another article where it talks about how to use ssh-copy-id to perform the passwordless login.
     
    @Frank
    Thanks a lot for pointing it out. it was a typo. But, even with that typo that scenario would’ve worked, as you can name the public-key file anything you want, as long as the name is same on step#5 and step#6.
     
    I’ve updated the document accordingly to reflect the proper file name in step#5 and step#6.

  • Mst May 27, 2009, 9:46 am

    I am executing ssh-keygen2 on Local, which is running Solaris 7 . The command never “exits”

    [/home/xxx]: ssh-keygen -b 2048
    Generating 2048-bit dsa key pair
    3 o.oOo.oOo.o

    The number on the last lines keeps moving from 1 to 2 to 3 …. but the key is never generated. Any ideas?

  • Shanker March 28, 2011, 11:13 pm

    Excellent Work..Thanks you..

  • ketan March 12, 2012, 4:09 am

    Great Post. Could you tell if I am given ssh2 rsa public key to add to my server, do I need to necessarily have ssh2 installed and running. I don’t find .ssh2 directory under my home, just only .ssh.

  • yogarajan March 21, 2014, 4:38 am

    How to do the key exchange for the ssh version shown below:

    REMOTE_HOST
    ssh: /opt/tectia/bin/sshg3

    version
    sshg3: SSH Tectia Client 6.1.8 on x86_64-unknown-linux-gnu
    Build: 136

    ssh-keygen: /opt/tectia/bin/ssh-keygen-g3

    LOCAL-HOST

    ssh–> /opt/tectia/bin/sshg3

    version
    sshg3: SSH Tectia Client 6.1.4 on x86_64-unknown-linux-gnu
    Build: 83

    keygen–> /opt/tectia/bin/ssh-keygen-g3

    i tried the same step mentioned above, but its not working..

  • Amar Kumbhar January 9, 2017, 5:17 am

    Thanks for the post.

    Can you please suggest what changes need to be done for
    /usr/bin/ssh -> /opt/SSHtectia/bin/sshg3