Key-Based SSH Logins

I did found a lot of pages with good explanation of the theory and / or how to setup client and server and I don't want to write another one. The motivation of this article is only to have a concise check list to use with "copy & paste" when I have to set up a such login.

The Ecosystem

I have a UNIX server called canistracci.oil holding a bare GIT repository, accessible through the account petrol. Another UNIX server called pipeline.oil (account grease) should access the repository of canistracci.oil for continuous integration. The development workstation (gas-station.oil) is a modern Windows 7 PC and should also access the GIT repository on canistracci.oil.

The Software

On Solaris 10, Linux and MacOSX the SSH package is ready to use. Windows doesn't provide SSH connectivity. I use the excellent PuTTY terminal by Simon Tatham. I did download the Windows installer and I did a standard installation.

Authorize Grease

First connect to pipeline.oil. From MacOSX, Linux or Solaris execute ssh grease@pipeline.oil, on Windows use PuTTY and then execute the following commands.

grease@pipeline.oil $ ssh-keygen -b 2048 -t rsa

Generating public/private rsa key pair.
Enter file in which to save the key (/home/grease/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/grease/.ssh/id_rsa.
Your public key has been saved in /home/grease/.ssh/id_rsa.pub.
The key fingerprint is:
x6:68:xx:93:98:8x:87:95:7x:2x:4x:x9:81:xx:56:94 grease@pipeline.oil

grease@pipeline.oil $ scp ~/.ssh/id_rsa.pub petrol@canistracci.oil:
grease@pipeline.oil $ ssh petrol@canistracci.oil
petrol@canistracci.oil's password:

petrol@canistracci.oil $ mkdir ~/.ssh
petrol@canistracci.oil $ chmod 700 ~/.ssh
petrol@canistracci.oil $ cat ~/id_rsa.pub >> ~/.ssh/authorized_keys
petrol@canistracci.oil $ rm ~/id_rsa.pub
petrol@canistracci.oil $ chmod 600 ~/.ssh/authorized_keys

The next login of grease on canistracci.oil doesn't require a password anymore.

Notice: On Solaris 10 the name of the file authorized_keys is authorized_keys2. The last Ubuntu server I did install (10.10) authorizes a MacOSX using authorized_keys2.

Authorize Gas-Station.oil

• Start the program PuTTYgen.exe.
• Generate the key-pair.
• Save both keys on the hard-disk.
• Start the program PuTTY.exe and connect to canistracci.oil.

Execute the following commands:

petrol@canistracci.oil $ vi ~/id_rsa.pub

Copy the public key (in blue on the picture above) to the clipboard, activate the PuTTY window, type i and paste the key. Type the sequence ESC + : + wq!

petrol@canistracci.oil $ chmod 700 ~/.ssh
petrol@canistracci.oil $ cat ~/id_rsa.pub >> ~/.ssh/authorized_keys
petrol@canistracci.oil $ rm ~/id_rsa.pub
petrol@canistracci.oil $ mkdir ~/.ssh
petrol@canistracci.oil $ chmod 600 ~/.ssh/authorized_keys

The next login of grease on canistracci.oil doesn't require a password anymore.

Notice: on Solaris 10 the name of the file authorized_keys is authorized_keys2. The last Ubuntu server I did install (10.10) authorizes a MacOSX using authorized_keys2.

Notice: on Windows before the first connection a double click on the PuTTY private key is necessary to activate the program Pageant.exe and to load the key.