SSH public key authentication

Consider also connecting via ssh GSSAPI authentication (aka kerberos).

A relatively secure way to use SSH is to use key-based authentication, instead of password-based authentication.

To be able to log in this way, you first need to create a public/private key pair on your personal(remote) workstation:

user@foo$ ssh-keygen -b 2048 -t rsa

You will then be prompted for a passphrase to protect your new private key. The associated public key won't have any passphrase.

This will create a 2048-bit key pair of type 'rsa'. This command should work in virtually all distributions of Linux and in Mac OS X and any other flavor of Unix that includes openssh. Solaris may not use openssh by default, so you may have to enter a different command for generating ssh keys if you run Solaris. To use ssh from a Windows machine, you should install 'PuTTY'. To find it, search for 'putty' in google. PuTTY uses the same ssh protocol as everyone else, so it will interoperate, but its key file formats are different. It includes a utility to convert between PuTTY's and openssh's key file formats, though.

After running ssh-keygen, your private key is stored in ~/.ssh/id_rsa, and your public key is placed in ~/.ssh/ These are just simple text files. Take a look at them if you like. There is no need to protect your public key file--it can be emailed or transmitted through unencrypted channels. Your private key file, however, should never be accessible by anyone--not even your mother!

To use your key to log into a CAL Configured Workstation, copy your public key file (the one that ends in '.pub') to ~/.ssh/authorized_keys in your CAL home directory. You can do this using 'secure copy' (scp) which is part of the ssh suite of applications:

0 user@foo:~$ scp ~/.ssh/'s password:                                    100%  733     0.7KB/s   00:00
0 user@foo:~$

(If your CAL username is different from the username on your personal workstation, prepend "CALusername@' before the hostname, 'pluto.astro...', in the above example.)

After you have done this, you will never need to enter your CAL password again to log into any Configured Workstation from the workstation where your private key is installed. (Technically, you only put your public key on pluto, but since home directories are shared between all CWs, you can now ssh into any CW with your key.) Of course, now you will have to enter your passphrase every time you log in, instead of your CAL password. If you don't like entering passphrases, you can leave it blank (this is safe as long as your private key file, id_rsa, never gets out), or you can use ssh-add to cache your passphrase for however long you want. You can read more about that by doing 'man ssh-add'. Use 'ssh-keygen -p' change the passphrase on your private key.

Key-based authentication is much more secure than password-based authentication because people (or programs like crack) are sometimes able to guess passwords, but no one will be able to guess a 2048-bit private key. And if you are worried that they might, generate a 4096-bit key instead. The biggest worry now is not that someone will crack the rsa code, but that someone will steal your private key--either by breaking into your workstation or physically carrying it away, especially if it is a laptop. The passphrase (if you have one) will be your second line of defense in that case. If you think that anyone might have stolen your private key, you should immediately delete your public key off of all servers on which you have installed it and generate a new public/private key pair to use in its place.

See Brian Hatch's article on SecurityFocus and the openssh website for more details.