The previous articles (openSSH to openSSH setup, SSH2 to SSH2 setup) explains about how to setup key based authentication on the same version of ssh to perform ssh and scp without entering password. This article explains how to setup SSH key based authentication between different version of SSH (from openSSH to SSH2) to perform ssh and scp without entering password.
1. Verify the local-host and remote-host SSH version.
In this example, local-host is running on openSSH and remote-host is running on SSH2.
[local-host]$ ssh -V OpenSSH_5.0p1, OpenSSL 0.9.8g 19 Oct 2007 [remote-host]$ ssh -V ssh: SSH Secure Shell 3.2.9.1 (non-commercial version) on i686-pc-linux-gnu [remote-host]$ ls -l /usr/local/bin/ssh lrwxrwxrwx 1 root root 4 Mar 10 22:04 /usr/local/bin/ssh -> ssh2
2. Generate key-pair on the local-host using ssh-keygen
[local-host]$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/jsmith/.ssh/id_rsa):<Hit enter> Enter passphrase (empty for no passphrase): <Enter your passphrase here> Enter same passphrase again:<Enter your passphrase again> Your identification has been saved in /home/jsmith/.ssh/id_rsa. Your public key has been saved in /home/jsmith/.ssh/id_rsa.pub. The key fingerprint is: 3b:2a:d2:ac:8c:71:81:7e:b7:31:21:11:b8:e8:31:ad jsmith@local-host
The public key and private key are typically stored in .ssh folder under your home directory. In this example, it is under /home/jsmith/.sshd. You should not share the private key with anybody.
By default the ssh-keygen on openSSH generates RSA key pair. You can also generate DSA key pair using: ssh-keygen -t dsa command.
3. Convert openSSH public key to SSH2 public key.
On local-host that is running openSSH, convert the openSSH public key to SSH2 public key using ssh-keygen as shown below.
[local-host]$ ssh-keygen -e -f ~/.ssh/id_rsa.pub > ~/.ssh/id_rsa_ssh2.pub
4. Install the public-key on the remote-host that is running SSH2.
Create a new public key file on remote-host and copy paste the converted SSH2 key from the local-host.
[remote-host]$ vi ~/.ssh2/local-host_ssh2_key.pub
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "2048-bit RSA, converted from OpenSSH by jsmith@local-host"
DDDDB3NzaC1yc2EAAAABDmbrdomPh9rWfjZ1+7Q369zsBEa7wS1RxzWRQ0Bmr9FSplI
3ADBEBC/6cbdf/v0r6Cp5y5kusP07AOzo2F7MBDSZBtS/MbYJiIxvocoaxG2bQyz3yYjU
YcpzGMD182bnA8kRxmGg+R5pVXM34lx3iSSgd8r3RzZKnDpEvEInnI7pQvUBoEbYCXPUeZ
LQvQAkz6+Pb6SsNp-dop/qgv9qyfbyMz1iKUZGadG146GtanL5QtRwyAeD187gMzzrGzMFP
LWjdzWpGILdZ5gq7wwRpbcXFUskVrS2ZjDe676XlTN1k5QSZmSYUuttDdrjB5SFiMpsre8
a7cQuMS178i9eDBEC==
---- END SSH2 PUBLIC KEY ----
Add the above public key file name to the authorization file on the remote-host as shown below.
[remote-host]$ vi ~/.ssh2/authorization
Key local-host_ssh2_key.pub
5. Verify the Login from the local-host to remote-host using the SSH2 key authentication.
[local-host]$ ssh -l jsmith remote-host <You are on local-host here> The authenticity of host 'local-host' can't be established. DSA key fingerprint is a5:f6:2e:e6:a9:b2:7b:0e:e7:ae:cb:6c:7b:f5:6d:06. Are you sure you want to continue connecting (yes/no)? yes Warning: Permanently added 'local-host' (DSA) to the list of known hosts. Enter passphrase for key '/home/jsmith/.ssh/id_rsa': <Enter your passphrase here> Last login: Sat Jun 21 2008 23:13:00 -0700 from 192.168.1.102 No mail. [remote-host]$ <You are on remote-host here>
There are two ways to perform ssh and scp without entering the password:
- No passphrase. While creating key pair, leave the passphrase empty. Use this option for the automated batch processing. for e.g. if you are running a cron job to copy files between machines this is suitable option. You can skip the next step steps for this method.
- Use passphrase and SSH Agent. If you are using ssh and scp interactively from the command-line and you don’t want to use the password everytime you perform ssh or scp, I don’t recommend the previous option (no passphrase), as you’ve eliminated one level of security in the ssh key based authentication. Instead, use the passphrase while creating the key pair and use SSH Agent to perform ssh and scp without having to enter the password everytime as explained in the steps below.
6. Start the SSH Agent on local-host
The SSH Agent will be running in the background to hold the private keys and perform ssh and scp without having to enter the passphrase several times.
[local-host]$ ssh-agent $SHELL
7. Load the private key to the SSH agent on the local-host.
[local-host]$ ssh-add
Enter passphrase for /home/jsmith/.ssh/id_rsa:<Enter your passphrase here>
Identity added: /home/jsmith/.ssh/id_rsa (/home/jsmith/.ssh/id_rsa)
8. Perform SSH or SCP to remote-home from local-host without entering the password.
[local-host]$<You are on local-host here> [local-host]$ ssh -l jsmith remote-host Last login: Sat Jun 07 2008 23:03:04 -0700 from 192.168.1.102 No mail. <ssh did not ask for passphrase this time> [remote-host]$ <You are on remote-host here>
Comments on this entry are closed.
the best how-to, directly related to ssh connection.
do you have one for connecting to a Win machine?
thank you.
hi ramesh,
i try to generate key pair but there;s an error
You must specify a key type (-t).
Usage: ssh-keygen [options]
any idea about that?
thanks
Hi Sheema.
The key type (t) option means that you gotta choose between rsa or dsa to build your key. Although the command “ssh-keygen” should create a rsa key by default without prompting for an specific one.
Hope it helps you..
Ramesh, very good and usefull blog. Congratulations.
@Francisco,
Check out OpenSSH alternatives for Windows.
@Sheema,
Like Denny has pointed out, if you get that error message, pass the -t option. i.e ssh-keygen -t dsa (or) ssh-keygen -t rsa
@Denny,
Thanks for helping out Sheema. Also, I appreciate your nice comments about this blog.
Excellent article.. Many thanks
excellent article on how to convert the OpenSSH to an FSecure key. Thank you for sharing the information.
This is a very good article. Thanks for putting it together and sharing with the rest of us!
If the remote system still asks for a password, check the permissions of the remote .ssh2 folder and the files in it: nobody but the owner should have write permissions!