Contents

  1. SSH Key Generation
    1. Host Keys
    2. Public Key Authentication

SSH Key Generation

For all the following examples, you will need access to the ssh-keygen program that is installed pretty much anywhere you have ssh. Note that ssh-keygen does not have to be run on the host that will eventually use the keys, since all the program does it generates key files that can be copied where you need them. For more info on this subject, check out the man pages for ssh-keygen and sshd_config.

Host Keys

The sshd server needs a unique key to identify itself with. The key is usually kept in a file that resides in the directory identified as --sysconfdir during the build process (typically /etc). The server uses differently formatted key files for the two different ssh protocols. For Protocol Version 1, it expects an /etc/ssh_host_key as generated with the following command: 

% ssh-keygen -t rsa1 -f ssh_host_key -C '' -N ''
% chmod 600 ssh_host_key
% chmod 644 ssh_host_key.pub

Note we are generating an rsa1 key with no comment (-C ) and no password (-N ). In addition to the private key, it also generates the corresponding public key as well.

For Protocol Version 2, the server looks for two keys: an RSA key (ssh_host_rsa_key) and a DSA key (ssh_host_dsa_key). As far as I can tell, the server will start as long as just one is present. Additionally, the RSA key is typically used by default when a server identifies itself (can someone ellaborate on this?) You can generate the keys using a similar procedure. 

% ssh-keygen -t rsa -f ssh_host_rsa_key -C '' -N ''
% chmod 600 ssh_host_rsa_key
% chmod 644 ssh_host_rsa_key.pub
% ssh-keygen -t dsa -f ssh_host_dsa_key -C '' -N ''
% chmod 600 ssh_host_dsa_key
% chmod 644 ssh_host_dsa_key.pub

Again, private and public versions of each key are generated. You can control where SSHD looks for keys in the sshd_config file. Make sure to set the permissions correctly, as SSHD will complain if the private keys are visible by anyone but root.

Public Key Authentication

Ssh has a neat feature that allows to authenticate to a server without a password (challenge-response) called Public Key Authentication. It works by generating a private-public key pair. You place a copy of the public key on the remote server and a copy of the private key on your local machine. The server can then authenticate you using a key challenge. However, you have to generate the keys first. It's generally best to match the key type to the level of the SSH protocol you expect to be using (v1 => rsa1, v2 => rsa,dsa). The following example generates an rsa key for use in v2 of the protocol. 

% ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (~/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ~/.ssh/id_rsa.
Your public key has been saved in ~/id_rsa.pub.
The key fingerprint is:
aa:43:09:c1:d1:a9:f4:85:2d:6e:28:cf:15:c2:fd:e3 me@somewhere

Once the key is generated, the task then becomes letting the remote server know your public key. You typically do this by appending the conents of id_rsa.pub, the public component of the key pair, to ~/.ssh/authorized_hosts on the remote server. The actual location of the authorized_hosts file is set in the sshd_config file, so adjust as need be.

SshKeyGeneration (last edited 2008-04-13 16:36:25 by localhost)