How to configure SSH for DSA Public Key Authentication

Source: Internet
Author: User

In this example, we will configure DSA common key authentication for SSH2 on two machines (Machine A and Machine B.

After the configuration is complete, we can log on to Machine B through SSH2 from Machine A without entering the password. we can also configure it as without passphrase (remember: This method is not recommended ). DSA public key authentication only applies to one host and one user, not to the entire system. this article assumes that you have installed and run openssh, openssh-clients, openssh-server, openssh-askpass, and openssh-askpass-gnome on two machines.

DSA Public Key Authentication configuration steps:

Generate a DSA key pair

1. Enter the following command on Machine A to generate the DSA key pair of SSH2:

    ssh-keygen -t dsa

You will see the output similar to the following:

Generating public/private dsa key pair.Enter file in which to save the key (/home/wolfpack/.ssh/id_dsa):Created directory '/home/wolfpack/.ssh'.Enter passphrase (empty for no passphrase):Enter same passphrase again:Your identification has been saved in /home/wolfpack/.ssh/id_dsa.Your public key has been saved in /home/wolfpack/.ssh/id_dsa.pub.The key fingerprint is:79:2b:2a:be:06:a0:77:4a:7c:26:51:52:0f:f2:f7:9c wolfpack@jaws.example.com

Use the default file path ~ /. Ssh/id_dsa. Enter passphrase different from your account and password, and enter it again for confirmation.

Warning when passphrase is prompted, you can press enter directly without using passphrase to protect the DSA key. but this is not recommended. unprotected DSA key pairs allow intruders with the permissions of your account to access all the information listed in ~ Machines in the/. ssh/id_dsa file.

The Public Key is written ~ /. Ssh/id_dsa.pub file. The private key is written ~ /. Ssh/id_dsa file. Do not give the private key to anyone.


2. Change ~ /. Ssh file permissions:

chmod 755 ~/.ssh

3. Copy the Machine A file ~ Copy the content of the/. ssh/id_dsa.pub file to Machine B ~ /. Ssh/authorized_keys. If Machine B already exists ~ /. Ssh/authorized_keys file ~ /. Ssh/id_dsa.pub content appended ~ /. Ssh/authorized_keys. Machine B ~ The contents of the/. ssh/authorized_keys file are as follows:

wolfpack@flanders .ssh]$ cat ~/.ssh/authorized_keysssh-dss AAAAB3NzaC1kc3MAAACBAP7jri6wQtS97FWiqt2lp/Nv0zi1Suv/YTO8iRn/A5SsnChhozXtsiYl3ReycbQEaMs5RsDklBHfZJXsTOoMATX6ISmtEKrB81ex1RN5DP8+q1XnacAuNSBL0agCiV0ru+5k/yfrEQisCSdFVzsFCA4OzhQEzOSMNAFrwtHbjq2HAAAAFQCssQ1b2BmrlRrhBeWzf7MF53yzvwAAAIEAj+DFA1RLajiRJZyVwyy2lXrjSa+sSsViyo1MCelKXf3Boj4uv3o24ossTcop/zxC0hxoSDd+bGfLYs/cASpZFCQoLKy4SX41Q6yQU1ra1+/j4MJqN5JwFel839HDiZ2IYYZif4UlSx2esEtDFlc5TLoRXmb5rb9kvcS+qbaQFScAAACBAKujycpeg0UIuQRXCtKVFLR6Rl2w4Q39RGmuoKUl6Ki9ZdiJxOmUncAXOfRS5S7swwDJKaV2RmtD4LSGNV3jbrDGGtiLmBukbOdPG0nnUzI7SrTg2DwSD333d85tpNBL1h/wWMb2e+UgEm0jjyB0asM/jj0dZkOJhL9agLZwGKRmwolfpack@jaws.example.com

4. Change the authorized_keys File Permission on Machine B:

chmod 600 ~/.ssh/authorized_keys

Now, when you connect to Machine B, the system still asks you to enter the passphrase of the DSA key file, unless you did not enter passphrase when creating the DSA key pair, or you have completed the following steps:


Set ssh-agent in GNOME

If you are running in GNOME, perform the following steps to configure the ssh-agent. the ssh-agent tool saves your DSA key passphrase so that each time you ssh or scp to Machine B. when you log on to GNOME, openssh-askpass-gnome prompts you to enter passphrase and save it until you exit GNOME. in this GNOME session, when ssh or scp is connected to Machine B, the system no longer requires you to enter passphrase.

To save passphrase In the GNOME session, follow these steps:

1. select Main Menu Button (on the Panel) => Preferences => More Preferences => Sessions, and click the Startup Programs tab. click Add and enter/usr/bin/ssh-add in the Startup Command text box. set a priority number lower than any existing command to ensure that it is finally executed. A good ssh-add priority number is 70 or above. the higher the priority, the lower the priority. if there are other programs, this program (ssh-add) should be the lowest priority. click Close to exit.

2. log on to GNOME again, that is, restart X. after GNOME is started, a dialog box appears asking you to enter passphrase (s ). if you have configured the DSA and RSA key pairs, you are prompted to enter them. in the future, ssh, scp, or sftp will no longer require you to enter the password.


Configure ssh-agent in a non-X Environment

If X is not running, configure ssh-agent as follows. if GNOME is running but you do not want to prompt passphrase when you log in, the following procedure will be performed in the terminal window, such as XTerm. if the X you run is not GNOME, the following operations will be performed in the terminal window. however, your passphrase is only remembered by the terminal window, rather than global settings.

1. Enter the following command at the shell prompt:

exec /usr/bin/ssh-agent $SHELL

2. Enter the following command:

ssh-add

Enter your passphrase (s). If you have configured a multi-pair key, the system will prompt you to enter one by one.


3. After exiting the system, passphrase (s) will be released. These two commands must be executed each time you log on to the virtual console or terminal window.


For more information about OpenSSH, refer to the RHEL3 System Administration Guide or the early versions of Red Hat Linux/Red Hat Enterprise Linux Customization Guide. for more information about the SSH protocol, see Red Hat Linux/Red Hat Enterprise Linux Reference Guide.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.