This instruction set explains how to enable public key authentication for OpenSSH and SSH Communications. It describes how to use these keys for authentication and automation scripts. It also describes to use within each other and within one another for support purposes. OpenSSH Public Key Authentication How-to This set of instructions explains how to create and user Public Key Authentication for OpenSSH. You must be using the server and client from openssh.com These tools can be use to run unattented scripts and non-interactive authentication. 1) Create you Authentication keys # Create a version 2 RSA key $ssh-keygen -t rsa # Create a version 2 DSA key $ssh-keygen -t dsa It will prompt you to ask where to save the key. The default would be $HOME/.ssh/id_rsa or $HOME/.ssh/id_dsa Finally it will ask you for a passphrase. Enter a difficult passphrase or if it's being use for non-interactive use, use NULL as the passphrase. 2) Copy the file to the server that you are connecting to. scp .ssh/id_dsa.pub username@server:/home/username/.ssh/authorized_keys 3) Finally test your authentication method via ssh, scp, and sftp. If you receive any errors please make sure that the steps were followed correctly; all files exist; that there are no syntax errors. SSH Secure Shell Public Key Authentication How-to This instruction set is to allow a user to setup public key authentication for various reasons. You must be using the ssh daemon from SSH Communications SSH.com Please note that this method is being used for unattended scripts and jobs to run which requires no user interaction. 1) Please generate a keypair on the client machine: $ ssh-keygen2 You will be asked to enter a passphrase twice. Please choose a passphrase that is difficult to guess - spaces are OK. If you are using this for unattended scripts to run then enter a NULL password. This will create a public key (.pub) and a private key (no extension). The default filenames are id_dsa_1024_a.pub and id_dsa_1024_a (both assuminig that you don't change the file names or key size.) If you want to use additional options see man ssh-keygen2. 2) In your $HOME/.ssh2 directory on the client, create a file named 'identification' that contains the following: idkey id_dsa_1024_a If you are have multiple keypair which you use to authenticate, put each on a sperate line: idkey private_key_one idkey private_key_two 3) Next, you must also enable public key authentication in the client config file. This can be enabled in the system wide client configuration file, /etc/ssh2/ssh2_config. For safe measures I would suggest creating your own client configuration file. Modify or create the file $HOME/.ssh2/ssh2_config on the client machine to contain the following: AllowedAuthentications publickey, password Always place the least interactive method first. This usually means that if you wish to have multiple methods listed here, you should ensure that password is last in the list. 4) Copy the public key portion of your user keypair (id_dsa_1024_a.pub) to the server, in your $HOME/.ssh2 directory. 5) On the server, create a file in your ~/.ssh2 directory named 'authorization'. The file should contain the following: key id_dsa_1024_a.pub 6) From this point, you should test communications from the client to the server via ssh2, sftp, scp2. If you have any problems please ensure that the steps were taken properly and that there are no syntax errors. How can I use public key authentication to authenticate between an OpenSSH client and an SSH Secure Shell Unix Server? To use public key authentication between an OpenSSH client and an SSH Secure Shell Unix server, you must convert your public key to secsh format prior to copying it from the OpenSSH client to your SSH Secure Shell for Unix server. Important: You must be running OpenSSH 2.9x or higher to use these key conversion options. 1. Convert your public key to secsh-compliant public key file format on the client: $ ssh-keygen -e -f yourkey.pub > yourkey_ssh2.pub 2. Next, you will need to upload the converted, secsh-compliant public key (yourkey_ssh2.pub) to the SSH Secure Shell for Unix server, to your $HOME/.ssh2 directory. You can use sftp or another method to do this. 3. Also, ensure your ssh_config file on the OpenSSH client is configured to allow public key authentication. How can I use public key authentication to authenticate between an SSH Secure Shell Unix client and an OpenSSH server? To use public key authentication between an SSH Secure Shell Unix client and an OpenSSH server, you must create your keypair on an SSH Secure Shell client, then copy the public key over to the OpenSSH server, where it will be necessary to convert the key to OpenSSH public key file format. Important: You must be running OpenSSH 2.9x or higher to use these key conversion options. 1. If you have not already generated a keypair on your SSH Secure Shell Unix client, please see the Public Key Generation Instructions Above on generating a keypair. 2. Once you have created your keypair, you will need to upload the public key (your_pubkey.pub) to your OpenSSH server, to your ~/.ssh directory. You can use sftp or another method to do this. 3. Convert the public key to OpenSSH public key file format on the server and add it to your ~/.ssh/authorized_keys (default for OpenSSH 3.5) file: $ ssh-keygen -i -f yourkey.pub >> authorized_keys Also, ensure your sshd_config file on the OpenSSH server is configured to allow public key authentication. Please check your OpenSSH documentation for instructions on how to do this. That should be all you need to do to enable publickey authentication between an SSH Secure Shell Unix Client and an OpenSSH Server. Openssh To SSH Communications non-attended script automation The question: SCP from openssh to ssh does not work because of fallback to ssh1 compatibility. The answer: Install ssh1 client utilities. This method is not recommended because 1) it is insecure and 2) you may not have admin priviledges to do so. The recommended option is to use the alternative methods explained below. - echo "put /path/to/local/file" | sftp username@site.upenn.edu (This uploads your local file on the remote site) - echo " get /path/to/remote/file | sftp username@site.upenn.edu (This retrieves the remote file to your local site) - tar -cvf - /dir/or/file | ssh site.upenn.edu - l username "tar -xvf -" (This creates tar archive of a directory or file of your choice, sends the file to the remote location and extracts the tar archive) - sftp -b batchfile username@site.upenn.edu (This creates a secure ftp transfer and uses a batchfile for a list of instructions. For example, you can have a list of puts and gets within that batchfile and will complete until the batch list is finished. Great for automation.)