USING RSA/DSA KEYS IN OPENSSH


Most Linux administrators know about public key cryptography in applications such as PGP and GnuPG. This is cryptography where the end user has a private key and a public key, where the private key is sacrosanct and the public key is made available to everyone. The public key is used to encrypt files or e-mail, and the private key decodes it.

Public key cryptography is useful for more than just exchanging e-mails. Using SSH, you can generate a public key and a private key for yourself so you can authenticate with a remote SSH server without using a password. The remote server has a copy of your public key, and you use your private key to encrypt traffic; if the server can decrypt it with your public key, the session is active.

Older versions of OpenSSH (the free replacement to commercial SSH) typically used RSA1 for encryption, which is used by the commercial SSH 1.x version (also known as the SSH1 protocol). With newer versions of OpenSSH, opt for the SSH2 protocol, which uses RSA or DSA for the public key authentication. It has also been proven to be safer to use RSA/DSA than to use RSA1.

Now you need to generate new keys. If you used ssh-keygen previously, you probably have files called ~/.ssh/identity and ~/.ssh/identity.pub, syntax for ssh-keygen needs to look like this:

# ssh-keygen -t rsa

or

# ssh-keygen -t dsa

The first line of code generates an RSA keypair in ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub.

The second line of code generates a DSA keypair in ~/.ssh/id_dsa and ~/.ssh/id_dsa.pub.

Now we'll discuss how to use this for password-less authentication to a remote SSH server, that is how to generate RSA and DSA keys for SSH protocol 2. Now let's look at how to use these keys to implement them for authentication without using a password.

First, you must have access to the remote SSH server, either by using your RSA1 key or by using a password. Copy your RSA or DSA key (whichever you prefer) to the remote server by using: # scp ~/.ssh/id_dsa.pub user@remotehost.com:~/ -This will copy your DSA public key to the remote server. Now, log in to the remote server and type:

# cat ~/id_dsa.pub ~/.ssh/authorized_keys2

This will place your DSA key into the authorized_keys2 file on the remote server. This file tells OpenSSH to allow the user with the corresponding private key to log in without a password. If the remote server is configured to use Protocol 2 before Protocol 1, you can use this line to log in:

# ssh user@remotehost.com

If the remote server is configured to use Protocol 1 first, then you must use this line of code to tell OpenSSH to use Protocol 2.

# ssh -2 user@remotehost.com

Otherwise, if you have root access to the remote server, you can modify the /etc/ssh/sshd_config file and change the line that reads:

Protocol 1,2

To

Protocol 2,1

and restart the OpenSSH service. This will default to using Protocol 2, which is a more secure protocol than Protocol 1. Now you can log inwithout having to type a password to the remote server.