Public Key Authentication between two Solaris Servers: [a]. Generate a pair of SSH keys on the client. Take the default key name ~/.ssh/id_rsa [email protected]# ssh-keygen -t rsa Generating public/private rsa key pair. Enter file in which to save the key (//.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in //.ssh/id_rsa. Your public key has been saved in //.ssh/id_rsa.pub. The key fingerprint is: 05:26:98:a9:1f:c3:03:d1:b1:4e:35:e8:9b:f7:e3:89 [email protected] Note: Here passphrase is set as null. It is also possible to generate SSH keys using passphrase. When ssh-keygen asks for a passphrase, it is better to enter return twice (i.e.: don't set any passphrase). It's safer to protect a key with a passphrase, however, given the way it will not buy extra security, as the passphrase will have to circulate between your client and the server, and will be stored in clear text. The above said is optional, if the user feel safer; feel free to enter a passphrase. [b]. Copy the public key from the client to the server: [email protected]# scp /.ssh/id_rsa.pub fsctsp1:/ [email protected]'s password: id_rsa.pub 100% 222 0.2KB/s 00:00 On the server, append the newly obtained key to the ~/.ssh/authorized_keys file,which stores SSH public keys in the OpenSSH implementation: [email protected]# cat /id_rsa.pub >> /.ssh/authorized_keys [a]. Modify the permissions of the authorized_keys file. If this file is write-able by anybody other than the user, then server will deactivate PK authentication. [email protected]# chmod 600 ~/.ssh/authorized_keys [b].At the client, decrypt and register your key with the ssh-agent: This is required only if passphrase is used. 1. At the client, try and login to the server: [email protected]# ssh fsctsp1 Last login: Thu Sep 22 12:52:21 2005 from fsctsp2 Sun Microsystems Inc. SunOS 5.8 Generic Patch October 2001 Sun Microsystems Inc. SunOS 5.8 Generic Patch October 2001 You have mail. [email protected]# Password-less login Note: This point is valid only when you are generating SSH keys with passphrase. At this point, you'll probably want to set up passwordless login, which is done with the following commands: Invoke ssh-agent and its outputted shell commands: [email protected]# eval `ssh-agent` Agent pid 9626client Decrypt and add your newly generated private key to ssh-agent's database: [email protected]# ssh-add id_rsa Identity added: id_rsa (id_rsa) Now you should be able to do a password-less login to the server: [email protected]# ssh fsctsp1 Last login: Thu Sep 22 12:52:21 2005 from fsctsp2 Sun Microsystems Inc. SunOS 5.8 Generic Patch October 2001 Sun Microsystems Inc. SunOS 5.8 Generic Patch October 2001 You have mail. [email protected]# As you will soon notice, this only gives you password-less login through this terminal. To achieve true one-time per system authentication, it is recommend to use the Keychain utility. This involves downloading the keychain program and adding two lines to your ~/.bashrc or ~/.bash_profile (or ~/.cshrc) files. The utility then keeps you from entering your passphrase more than once.