Copyright © 2004 Alexander Wintermans
Table of Contents
Using public key encryption to autorise a SSH connection can be useful for automatic connections (used in scripting and such).
In OpenSSH a key pair can be generated as follows:
$ ssh-keygen -t rsaA number of prompts appear. Accept all defaults.
The private key can be found in the ~/.ssh/id_rsa file. The public key can be found in the ~/.ssh/id_rsa.pub file. Add the generated public key to the server-side .ssh/authorized_keys file:
$ cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
Establishing a SSH connection using the private key using the OpenSSH client can be achieved by simply moving the private key file to the same directory on the client machine (i.e. ~/.ssh/id_rsa). To use a specific private key use the -i flag:
$ ssh -i ~/.ssh/my_id_rsa jjj.joe.org
Establishing a SSH connection using the private key using the Putty client is more involved. The generated private key needs to be converted to a putty-specific format. For this you need the puttygen.exe program.
When using private keys to connect from untrusted machines for automated tasks, it is prudent to restrict what the client can do. In the example below, clients are restricted to using the subversion server process (i.e. only subversion clients can usefully use the connection).
The options (first) field of the relevant entry in the ~/.ssh/authorized_keys file is edited to add a command= clause and a bunch of no-* directives:
command="/usr/bin/svnserve -t",no-port-forwarding,no-X11-forwarding,no-agent-forwarding
ssh-rsa AAAAB3NzaC1yc.....QXxDDE+E= joe@jjj
This must all be on one single line. The spaces are significant. The dots indicate a big section of key data that has been left out of this example.