Getting Started

There are two methods of authentication when using ssh. Both methods prevent your password from being transmitted across the network in cleartext form and will encrypt remote login connections.

The first is to just use the applications and rely on your standard password to authenticate you. This is the simpler of the two methods and still encrypts the password.

The second method involves the use of an RSA public/private key pair. This is a more secure method because it requires you to have possession of a key file and knowledge of your password to authenticate yourself. With this method, public-key cryptographic methods are used for authentication and no password is transmitted across the network, cleartext or encrypted. It is not necessary to fully understand public-key to use ssh, but for more information click on the links in this paragraph.

If you want to use the first method, then you can skip the rest of this document and move onto the other topics, such as logging into a remote host. To use the second method of authentication you need to follow the steps in the rest of this document to generate your personal key pair before using ssh as described in the other documents.

Key Generation

Step 1

Step 1 is split into different sections for different host types. Choose one:

Key generation on a UNIX host

Login to the host from which you will want to initiate remote connections. From a shell prompt type: 

ssh-keygen
After a few moments, a key will be generated. You will then be asked for a file in which to save the key. Just press <ENTER> to accept the default.

You will then be asked for a passphrase. Unlike your normal login passwords, this phrase can be of arbitrary length. You should not choose the same password you use for normal logins as this reduces the security. According to the Ssh documention, "Good passphrases are 10-30 characters long and are not simple sentences or otherwise easily guessable."

The passphrase can be changed later at anytime you want, but if you forget it there is no way to recover it or reset it and you must generate a new key from the very beginning.

When you have entered your passphrase twice, you will be given some information about where your identification and public key have been saved. Make a note of the public key file (it will probably be ~/.ssh/identity.pub).

You can now skip down to step 2.

Key generation on MS-Windows

With F-Secure

The F-Secure software will walk you through the generation of a key when you first install the software.

With Command-line port

The command line port comes with a utility called ssh-keygen.exe that should work just like the Unix version. However, the person who ported the program didn't get it to work right just yet, so after tring to generate a key, it fails. You will have to generate a key on a Unix host and copy it to your machine.

With TeraTerm Pro/SSH

Teraterm Pro/ssh does not provide a mechanism for creating keys, though it will use them if you obtain them from elsewhere. You can either generate one on your Unix account or obtain the command line version and use its key generation program.




You can now skip down to step 2.

Key generation on a Macintosh

When you isntall the F-Secure SSH software by Data Fellows (see the Obtaining Clients page), then it will generate the key automatically the first time you start up the software.

Step 2

To complete the process, the contents of the identity.pub file (i.e. your public key) must be copied to every host that you wish to be able to connect to. It's contents must be appended to the following file in the ~/.ssh/ directory: 

authorized_keys
First copy the identity.pub to the remote host and put it in the ~/.ssh/ directory. To copy the file to these hosts you should use the secure means with ssh (using normal password authentication). Instructions for using ssh to do this can be found on the Transferring Files page.

Once the file is there, login to the remote host using your normal means or using ssh (with the normal password authentication) If the .ssh directory already exists (which it will if you generated a key on your Unix acount) then change into the .ssh directory: 

cd .ssh
If the .ssh directory does not yet exist, first create it with this command (and then change into this directory): 
mkdir .ssh
Then use the cat command to append the contents of the identity.pub to authorized_keys: 
cat identity.pub >> authorized_keys
Alternatively, if you know that this is the first key to go into authorized_keys, you could just make a duplicate of identity.pub on the local machine, rename it to authorized_key and then copy that file over.

Step 3

This entire process (Steps 1 & 2) should be completed for every host that you wish to initiate connections from. The exception here is if the hosts are Unix hosts on a cluster for which you have a common home directory. Alternatively (and less securely) you could copy the identity file along with the public key file to all hosts. This would give you a single key pair to work with.

IMPORTANT!

The identify file must only be readable by you! This is really only a concern if you are generating this file on a UNIX host. If you are not sure how to make the file readable only by you then Click Here. This does not include the public key file, in fact, it should be publically readable.

Back to the P-25: SSH howto page.
Rajpaul Bagga