SSH Key Authentication - Quick and Dirty User Howto


Security and convenience. It enable fast, secure login to remote hosts without a password, rlogin, telnet, and .rhosts.


Assume, for this example, that you want to be able to log in a user "foo" on host "" from host "", and have a password based account on "". In the real thing you would substitute your login id and the correct hostnames.

  1. Log in to "" via ssh.

  2. Go to the .ssh directory:

    ~$ cd .ssh
  3. Run ssh-keygen

    .ssh$ ssh-keygen
    Note: If both "here" and "there" are using OpenSSH, or other version 1.5/2.0 software, (running

    ssh -V on both machines will tell you,) you will need to specify the type of key, like this:

    .ssh$ ssh-keygen -t rsa
    If only "here" is running a protocol 1.5/2.0 mix, you will need to specify the type as
    rsa1 (because "there" would be running only protocol 1) like so:
    .ssh$ ssh-keygen -t rsa1
    **Caution: RSA 1 is very deprecated, and insecure.

    Whether or not you use a passphrase or not depends on your system standards, and your paranoia level. If you use a passphrase, be sure to make a note of it someplace safe. If you do not use a passphrase, just hit enter when it asks for one.

  4. The ssh-keygen utility will generate two files: "id_rsa" and "" (or identity and You may wish to copy "" (or to ""

  5. Now scp (secure copy) the (or file to "" as "".

    .ssh$ scp

    It will ask you to enter your password for foo at After you enter your password, it should copy the file, and then idicate that it is done.

  6. Now ssh to "", log in, and change to your .ssh directory.

    .ssh$ ssh
    ~% cd .ssh
  7. Your "" file should be there. If it is, append it to the "authorized_keys" file.

    .ssh% cat >> authorized_keys

    Be sure to use ">>" (two greater-than signs) in order to append it to an existing file. If there is no "authorized_keys" file, create it by:

    .ssh% touch authorized_keys

    and then append your "" file to it.

  8. Make sure that the files in .ssh are writable only by you, on both machines, and non-executable by anyone.

    .ssh% chmod 600 *
    .ssh% chmod go-rwx *

    Your .ssh directory should also be 700

    chmod go-rwx ~/.ssh

    You public key (*.pub) can be 644, if the system has a problem with it at the tighter setting.

  9. Now exit from "", and test whether you can ssh in to it without a password.

It is a point to remember: passphraseless login is convenient, but if you don't need it, it can be a security risk.

If you need a passwordless login to run certain commands on a remote system, you might also want to take a look at using a ssh agent and agent forwarding. Then you only need to run the agent, and enter your passphrase once per session, do your business, and quit.

Be sure to email me at lj @ if you have questions (remember to de-mung).