≡ Menu

SSH Key based authentication setup from openSSH to SSH2

OpenSSHThe previous articles (openSSH to openSSH setup, SSH2 to SSH2 setup) explains about how to setup key based authentication on the same version of ssh to perform ssh and scp without entering password. This article explains how to setup SSH key based authentication between different version of SSH (from openSSH to SSH2) to perform ssh and scp without entering password.

1. Verify the local-host and remote-host SSH version.

In this example, local-host is running on openSSH and remote-host is running on SSH2.

[local-host]$ ssh -V
OpenSSH_5.0p1, OpenSSL 0.9.8g 19 Oct 2007

[remote-host]$ ssh -V
ssh: SSH Secure Shell 3.2.9.1 (non-commercial version) on i686-pc-linux-gnu
[remote-host]$ ls -l /usr/local/bin/ssh
lrwxrwxrwx  1 root root 4 Mar 10 22:04 /usr/local/bin/ssh -> ssh2

2. Generate key-pair on the local-host using ssh-keygen

[local-host]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/jsmith/.ssh/id_rsa):<Hit enter>
Enter passphrase (empty for no passphrase): <Enter your passphrase here>
Enter same passphrase again:<Enter your passphrase again>
Your identification has been saved in /home/jsmith/.ssh/id_rsa.
Your public key has been saved in /home/jsmith/.ssh/id_rsa.pub.
The key fingerprint is:
3b:2a:d2:ac:8c:71:81:7e:b7:31:21:11:b8:e8:31:ad jsmith@local-host

The public key and private key are typically stored in .ssh folder under your home directory. In this example, it is under /home/jsmith/.sshd. You should not share the private key with anybody.

By default the ssh-keygen on openSSH generates RSA key pair. You can also generate DSA key pair using: ssh-keygen -t dsa command.

3.  Convert openSSH public key to SSH2 public key.

On local-host that is running openSSH, convert the openSSH public key to SSH2 public key using ssh-keygen as shown below.

[local-host]$ ssh-keygen -e -f ~/.ssh/id_rsa.pub > ~/.ssh/id_rsa_ssh2.pub

4. Install the public-key on the remote-host that is running SSH2.

Create a new public key file on remote-host and copy paste the converted SSH2 key from the local-host.

[remote-host]$ vi ~/.ssh2/local-host_ssh2_key.pub 
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "2048-bit RSA, converted from OpenSSH by jsmith@local-host"
DDDDB3NzaC1yc2EAAAABDmbrdomPh9rWfjZ1+7Q369zsBEa7wS1RxzWRQ0Bmr9FSplI
3ADBEBC/6cbdf/v0r6Cp5y5kusP07AOzo2F7MBDSZBtS/MbYJiIxvocoaxG2bQyz3yYjU
YcpzGMD182bnA8kRxmGg+R5pVXM34lx3iSSgd8r3RzZKnDpEvEInnI7pQvUBoEbYCXPUeZ
LQvQAkz6+Pb6SsNp-dop/qgv9qyfbyMz1iKUZGadG146GtanL5QtRwyAeD187gMzzrGzMFP
LWjdzWpGILdZ5gq7wwRpbcXFUskVrS2ZjDe676XlTN1k5QSZmSYUuttDdrjB5SFiMpsre8
a7cQuMS178i9eDBEC==
---- END SSH2 PUBLIC KEY ----

Add the above public key file name to the authorization file on the remote-host as shown below.

[remote-host]$ vi ~/.ssh2/authorization 
Key local-host_ssh2_key.pub

5. Verify the Login from the local-host to remote-host using the SSH2 key authentication.

[local-host]$ ssh -l jsmith remote-host <You are on local-host here>
The authenticity of host 'local-host' can't be established.
DSA key fingerprint is a5:f6:2e:e6:a9:b2:7b:0e:e7:ae:cb:6c:7b:f5:6d:06.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'local-host' (DSA) to the list of known hosts.
Enter passphrase for key '/home/jsmith/.ssh/id_rsa': <Enter your passphrase here>
Last login: Sat Jun 21 2008 23:13:00 -0700 from 192.168.1.102
No mail.
[remote-host]$ <You are on remote-host here>

There are two ways to perform ssh and scp without entering the password:

  1. No passphrase. While creating key pair, leave the passphrase empty. Use this option for the automated batch processing. for e.g. if you are running a cron job to copy files between machines this is suitable option. You can skip the next step steps for this method.
  2. Use passphrase and SSH Agent. If you are using ssh and scp interactively from the command-line and you don’t want to use the password everytime you perform ssh or scp, I don’t recommend the previous option (no passphrase), as you’ve eliminated one level of security in the ssh key based authentication. Instead, use the passphrase while creating the key pair and use SSH Agent to perform ssh and scp without having to enter the password everytime as explained in the steps below.

6. Start the SSH Agent on local-host

The SSH Agent will be running in the background to hold the private keys and perform ssh and scp without having to enter the passphrase several times.

[local-host]$ ssh-agent $SHELL

7. Load the private key to the SSH agent on the local-host.

[local-host]$ ssh-add
Enter passphrase for /home/jsmith/.ssh/id_rsa:<Enter your passphrase here>
Identity added: /home/jsmith/.ssh/id_rsa (/home/jsmith/.ssh/id_rsa)

8. Perform SSH or SCP to remote-home from local-host without entering the password.

[local-host]$<You are on local-host here>

[local-host]$ ssh -l jsmith remote-host
Last login: Sat Jun 07 2008 23:03:04 -0700 from 192.168.1.102
No mail.
<ssh did not ask for passphrase this time>
[remote-host]$ <You are on remote-host here>
Add your comment

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

Comments on this entry are closed.

  • Francisco August 16, 2008, 7:31 pm

    the best how-to, directly related to ssh connection.
    do you have one for connecting to a Win machine?
    thank you.

  • sheema April 3, 2009, 8:09 am

    hi ramesh,

    i try to generate key pair but there;s an error

    You must specify a key type (-t).
    Usage: ssh-keygen [options]

    any idea about that?

    thanks

  • Denny April 10, 2009, 10:17 pm

    Hi Sheema.

    The key type (t) option means that you gotta choose between rsa or dsa to build your key. Although the command “ssh-keygen” should create a rsa key by default without prompting for an specific one.

    Hope it helps you..

    Ramesh, very good and usefull blog. Congratulations.

  • Ramesh April 11, 2009, 12:17 am

    @Francisco,

    Check out OpenSSH alternatives for Windows.
     
    @Sheema,

    Like Denny has pointed out, if you get that error message, pass the -t option. i.e ssh-keygen -t dsa (or) ssh-keygen -t rsa
     
    @Denny,

    Thanks for helping out Sheema. Also, I appreciate your nice comments about this blog.

  • Sudhansu Sabat June 22, 2010, 4:26 pm

    Excellent article.. Many thanks

  • Ntsoka March 18, 2011, 2:06 pm

    excellent article on how to convert the OpenSSH to an FSecure key. Thank you for sharing the information.

  • bourne July 20, 2012, 1:44 pm

    This is a very good article. Thanks for putting it together and sharing with the rest of us!

  • Gerard H. Pille January 8, 2016, 3:46 am

    If the remote system still asks for a password, check the permissions of the remote .ssh2 folder and the files in it: nobody but the owner should have write permissions!