SSH Public-Key Authentication HOWTO

This document describes how to set up SSH public-key authentication to connect to both OpenSSH and SSH.com SSH servers from machines running Windows with PuTTY, Unix with OpenSSH, and Unix with SSH.com SSH.

SSH public-key authentication lets you use one identity (i.e. one password) to connect to any number of SSH servers.

The SSH1 protocol should not be used; its vulnerabilities are well known. Please use SSH2.

Please send any corrections, comments, and suggestions to the address at the end of the page.


On Windows with PuTTY

Preliminaries

PuTTY is available from http://www.chiark.greenend.org.uk/~sgtatham/putty.

Generate a public/private key pair

Run puttygen.exe and generate an SSH2 public/private key pair. Save these as daniel.pub and daniel.ppk.

Install the public key on a remote host with OpenSSH

Copy the public key to ~/.ssh/daniel.pub on the remote host using any file-transfer program.

On the remote host, convert the public key to OpenSSH format:

remote-host$ ssh-keygen -i -f ~/.ssh/daniel.pub > ~/.ssh/daniel2.pub

On the remote host, paste the contents of the public key in ~/.ssh/authorized_keys2:

remote-host$ cat ~/.ssh/daniel2.pub >> ~/.ssh/authorized_keys2

Install the public key on a remote host with SSH.com SSH

Copy the public key to ~/.ssh2/daniel.pub on the remote host using any file-transfer program.

On the remote host, add the following line to ~/.ssh2/authorization:

key daniel.pub

Use an authentication agent

Add a new shortcut for pageant.exe to the Startup folder:

"C:\PATH\TO\pageant.exe" "C:\PATH\TO\daniel.ppk"

Run the shortcut or reboot.

Use SSH

Use putty.exe to connect to remote hosts.

Point applications (e.g. TortoiseCVS) to use plink.exe as the SSH application.


On Unix with OpenSSH

Preliminaries

OpenSSH is available from http://www.openssh.org.

Generate public/private key pair

Run ssh-keygen to create the public/private key pair:

local-host$ ssh-keygen -t rsa -f ~/.ssh/daniel

Install the private key

Add the following lines to ~/.ssh/config:

Host *
IdentityFile ~/.ssh/daniel

Install the public key on a remote host with OpenSSH

On the remote host, paste the contents of the public key in ~/.ssh/authorized_keys2:

local-host$ ssh remote-host 'cat >> ~/.ssh/authorized_keys2' < ~/.ssh/daniel.pub

Install the public key on a remote host with SSH.com SSH

Convert the public key to SECSH Public Key File Format:

local-host$ ssh-keygen -e -f ~/.ssh/daniel.pub > ~/.ssh/daniel2.pub

Copy the public key to the remote host:

local-host$ scp ~/.ssh/daniel2.pub remote-host:.ssh2/daniel.pub

On the remote host, add the following line to ~/.ssh2/authorization:

key daniel.pub

Use an authentication agent

Run ssh-agent in the beginning of the X-session or login session:

eval `ssh-agent`

Run ssh-add to add the private key to the authentication agent.


On Unix with SSH.com SSH

Preliminaries

SSH.com SSH is available from http://www.ssh.com.

Generate public/private key pair

Run ssh-keygen2 to create the public/private key pair:

local-host$ ssh-keygen2 -o ~/.ssh2/daniel

Install the private key

Add the following line to ~/.ssh2/identification:

IdKey daniel

Install the public key on a remote host with OpenSSH

Copy the public key to the remote host:

local-host$ scp ~/.ssh2/daniel.pub remote-host:.ssh/daniel.pub

On the remote host, convert the public key to OpenSSH format:

remote-host$ ssh-keygen -i -f ~/.ssh/daniel.pub > ~/.ssh/daniel2.pub

On the remote host, paste the contents of the public key in ~/.ssh/authorized_keys2:

remote-host$ cat ~/.ssh/daniel2.pub >> ~/.ssh/authorized_keys2

Install the public key on a remote host with SSH.com SSH

Copy the public key to the remote host:

local-host$ scp ~/.ssh2/daniel.pub remote-host:.ssh2/daniel.pub

On the remote host, add the following line to ~/.ssh2/authorization:

key daniel.pub

Use an authentication agent

Run ssh-agent2 in the beginning of the X-session or login session:

eval `ssh-agent2`

Run ssh-add2 to add the private key to the authentication agent.


Last modified: 2005-08-22
Daniel Hsu <dhsu+sshpubkey@hkn.berkeley.edu>