University of Colorado at Boulder  
Map A to Z Index Search CU Home
ITS logo
Information Technology Services News | ITS Search
ITS Docs
  SSH Authentication — Using Key-Pairs
 

Public key authentication is based on the use of digital signatures. Each user creates a pair of 'key' files. One of these key files is the user's public key, and the other is the user's private key. The server knows the user's public key, and only the user has the private key.

When the user attempts authentication, the server checks for a matching public key and sends a challenge to the user end. Signing the challenge using a private key authenticates the user.

Remember that your private key file is used to authenticate you. Protect your private key! If anyone else can access your private key file, they can attempt to login to the remote host computer as you, and claim to be you. Therefore it is extremely important that you keep your private key file in a secure place and make sure that no one else has access to it. It is also a good idea to use a passphase to protect your private key.

Do not use public key authentication on a shared or public computer!

Windows SSH client

Click here for documentation on using the Widows SSH client to generate and use a key pair.

Unix SSH client

In this example, we are configuring spot.colorado.edu to connect to stripe.colorado.edu as user jdoe. Both spot and stripe are running the commercial version of SSH.

First, create the key pair on spot.

spot> ssh-keygen
Generating 1024-bit dsa key pair
8 ..oOo.oOo.oO
Key generated.
1024-bit dsa, jdoe@spot.colorado.edu, Mon Aug 20 2001 22:57:08
Passphrase :
Again :
Private key saved to /home/jdoe/.ssh2/id_dsa_1024_a
Public key saved to /home/jdoe/.ssh2/id_dsa_1024_a.pub

Next, copy the public key to stripe.

spot> scp id_dsa_1024_a.pub stripe.colorado.edu:.ssh2/drj.pub
Host key not found from database.
Key fingerprint:
xorov-derut-bugol-barek-karyv-tunam-hebyl-zunud-sikuk-pavuf-lixox
You can get a public key's fingerprint by running
% ssh-keygen -F publickey.pub
on the keyfile.
Are you sure you want to continue connecting (yes/no)? yes
Host key saved to /home/jdoe/.ssh2/hostkeys/key_22_stripe.colorado.edu.pub
host key for stripe.colorado.edu, accepted by jdoe Mon Aug 20 2001 22:59:38
jdoe@stripe.colorado.edu's password:
id_dsa_1024_a.pub | 747B | 0.7 kB/s | TOC: 00:00:01 | 100%

Configuring the ssh client on spot to use the key pair requires you to create the file $HOME/.ssh2/identification that contains the following:

key drj.pub

Now, ssh, scp, or sftp should work.

spot> sftp stripe.colorado.edu
Passphrase for key "/home/jdoe/.ssh2/id_dsa_1024_b" with comment "1024-bit dsa, jdoe@spot.colorado.edu, Mon Aug 20 2001 22:57:08":
sftp> get sasl.tar sasl.tar | 220 kB | 220.5 kB/s | TOC: 00:00:01 | 100%
sftp> quit

 

Search by Topic

 

Did this document help you?
yes    no

How can it be improved?

       
       Support | Training | Facilities | About ITS | ITS Home
 

Last reviewed: February 06, 2007

IT Service Center: 303-735-4357 (5-HELP), help@colorado.edu, Location and Hours of Operation
Computer Support Representative (CSR) look-up tool

itsfeedback@colorado.edu  | Policies | Privacy
© 2000 The Regents of the University of Colorado