SSH Keys

Creating an SSH (non-OpenSSH) Public Key

To create a public key for use in automatic authentication with SSH2 do the following:

SSH into your favorite unix machine running SSH2.
Type ssh-keygen
You will be prompted to give a passphrase, give it a good one.
If you accepted the default names, you will now have a file called “identity” and a file called “identity.pub” in your ~/.ssh2 directory. “identity” is your private key and “identity.pub” is your public key that you can use to automate authentication on machines that you give it to.

Creating an OpenSSH Public Key

To create a public key for use in automatic authentication with ssh do the following:

SSH into your favorite unix machine running OpenSSH, such as login.eecs.
Type ssh-keygen -t dsa
When the program asks you to “Enter file in which to save the key” just press “enter”
You will be prompted to give a passphrase, give it a good one.
If you accepted the default names, you will now have a file named “id_dsa” and a file called “id_dsa.pub” in your ~/.ssh directory. “id_dsa” is your private key and “id_dsa.pub” is your public key, that you can use to automate authentication on machines that you ssh into.

Connecting from an OpenSSH Client to an SSH Server

Use this procedure if your local machine is running OpenSSH.

Make sure you have an OpenSSH public key. Refer to Creating an OpenSSH Public Key for more details.
Generate a representation of your OpenSSH public key that SSH2 understands:
- Run ssh-keygen -e -f ~/.ssh/id_dsa.pub > ~/.ssh2/id_dsa.pub
- Notice that we are reading the OpenSSH key under “.ssh”, but we are writing the converted key under “.ssh2”. Don’t overwrite the original file!
On the machine you want to ssh to (the one running the SSH server), make sure you have a ~/.ssh2/ directory. Then, copy your newly created SSH public key to that machine.
- scp ~/.ssh2/id_dsa.pub
  machine.berkeley.edu:.ssh2/my_client_machine_id_ds.pub
  (where my_client_machine is replaced by the hostname of your client machine).
Inform the SSH server that you will accept this public key. On the machine that is running the SSH server:
- Run echo “Key my_client_machine_id_dsa.pub” >> ~/.ssh2/authorization
- This file is similar to the “~/.ssh/authorized_keys2” file used by OpenSSH. Rather than listing public keys, though, it lists the names of files in which those public keys can be found.

Connecting from an SSH Client to an OpenSSH Server

Log into a machine running SSH2
Make sure you have an SSH public key. If you do type: ssh-keygen2 -e ~/.ssh2/id_dsa_1024 and remove the passphrase. If not, the following command should create two files: ~/.ssh2/id_dsa_1024_a and ~/.ssh2/id_dsa_1024_a.pub. The -P option turns off the passphrase. Remove it if you want to use a passphrase.
- ssh-keygen2 -b 1024 -t dsa -P
Copy the SSH public key to your OpenSSH computer that you want to ssh to.
- scp ~/.ssh2/id_dsa_1024_a.pub machine.berkeley.edu:.ssh/SSH_id_dsa_1024_a.pub
Log into a machine running OpenSSH
Perform the conversion by running the following commands:
- ssh-keygen -i -f ~/.ssh2/id_dsa_1024_a > ~/.ssh2/my.OpenSSH.key
- ssh-keygen -p -f ~/.ssh2/my.OpenSSH.key
Copy the contents of OpenSSH_id_dsa_1024_a.pub into a file called ~/.ssh/authorized_keys. Be careful with the linefeeds. Each key should be on its own single line.
Log back on to a machine running SSH2
Restore your passphrase for the SSH2 private key by running:
- ssh-keygen2 -e ~/.ssh2/id_dsa_1024_a

Configuring SSH in UNIX to Not Require A Password

On unix you can use an ssh-agent to manage your ssh connections so that you don’t have to type a password every time when logging into other unix machines.

Add the following lines to your .login (this assumes a login shell of csh/tcsh): eval `ssh-agent -c` ssh-add
Add this line to your .logout: eval ‘ssh-agent -k’

Make sure you still have your “identity.pub” in the remote machine’s authorized_keys file.