SSH Public Key Authentication

If you use ssh often, you should use public key authentication. It’s more secure than password authentication and with ssh-agent, you don’t have to enter your key’s passphrase each and every time you login. I use public key authentication to access my WebFaction shell account. This post details how to set up SSH public key authentication.


~/.ssh Directory Creation

User specific ssh data is stored in the ~/.ssh directory. On both the client and the server execute:

mkdir ~/.ssh
chmod 700 ~/.ssh

If the directory already exists, make sure that the permissions are set to 700 (rwx------).

Key Pair Generation

Create the key pair on the client with:

ssh-keygen -q -f ~/.ssh/id_rsa -t rsa

Enter a passphrase when asked. It should be at least 16 characters long and not your account password.

Public Half Key Dissemination

Upload to the server with:

scp ~/.ssh/ username@remote-machine:~/.ssh/

Replace username and remote-machine accordingly.

The public key data must be appended into the ~/.ssh/authorized_keys file on the server:

cat ~/ >> ~/.ssh/authorized_keys
chmod 600 ~/.ssh/authorized_keys
rm ~/.ssh/

SSH into Remote Machine

The first time you ssh into the remote machine from the client, execute:

ssh -o PreferredAuthentications=publickey username@remote-machine

Again, replace username and remote-machine accordingly. You will be asked to enter your passphrase.

Add Passphrase to Keychain

Entering the private key passphrase each time you ssh into the remote machine can be frustrating. If you are using Mac OS X 10.5 (Leopard) and higher, you have the option to save the passphrase in the Apple Keychain at the passphrase prompt. This feature doesn’t come standard in 10.4 (Tiger) and lower. However, SSHKeychain provides such functionality. If your using another Unix-like system, see the first resource below.

SSHKeychain Primer

I have several iMac G3s that I still use regularly and I’ve installed SSHKeychain on them. Setting up SSHKeychain is a little tricky, so I’ll explain the basics here.

SSHKeychain is installed through an installer rather than by drag-and-drop. Once installed, open up SSHKeychain from the Applications directory. Open up the Preferences dialog box. You can do this three ways. You can click “SSHKeychain” at the top left of the menubar and select “Preferences…”, click the keychain icon at the top right of the menubar and select “Preferences…”, or right click/click and hold the icon in the dock and select “Preferences…”. Select the “Environment” tab and check the “Manage (and modify) global environment variables”. (That’s what I missed at first.) Select the “SSH Keys” tab and remove the default values using the minus sign button (unless those private keys actually do exist). Select the plus sign button and enter the full path of the private key you just created. For example: /Users/username/.ssh/id_rsa. Close the Preferences dialog box, and click “Agent” and select “Add all keys…”. You can find “Agent” on the menubar or the dock menu. You will be prompted for the private key passphrase and have the option to add the passphrase to the Apple keychain. I had a problem typing in the entire passphrase in the password field. I solved this by typing it in TextMate and doing a copy and paste. If you have to do this, make sure to copy meaningless text afterward. You really don’t want your passphrase to be exposed on the clipboard for any significant length of time. Before you ssh into your servers using public key authentication managed by SSHKeychain, restart your computer. It should work nicely afterward.

Disabling Standard Password Authentication

If you only want public key authentication to be used to login to a remote machine via ssh, see the second resource on how to disable all other means.

Other Resources

  1. OpenSSH Public Key Authentication
  2. Secure your SSH server with Public/Private key authentification
  3. Securing ssh-agent on Mac OS X 10.5 (Leopard)
  4. SSH with Keys HOWTO
  5. Take Controll of SSH, Draft Excerpt: Public Key Authentication