This technical note describes the steps you must follow to use public key authentication when connecting from a Reflection SSH UNIX Client to an OpenSSH server. You will use the key generation utility to generate a key pair. You will upload the public key to the server and then convert the public key to the proper format. Troubleshooting tips are also included.
Public Key Authentication Overview
Public key authentication is one way a server can authenticate a user. It requires a private and public key pair; the private key is located on the client, and the public key must be uploaded to the OpenSSH server and converted to the proper format. In addition to the keys, specific files must exist in the user's .ssh2 directory on the client and in the user's .ssh directory on the server. If the files donât exist, you must create them.
The process of generating keys, converting keys, and creating files is outlined below.
Using the Key Generation Utility
Use the Reflection SSH key generation utility to generate a key pair.
- Open a terminal window on the UNIX system with the Reflection SSH client.
- Use the following command to create a key pair:
Note: To get a list of available switches, use the command ssh-keygen -h, or check the man pages for more details.
The key generation utility will run for a few moments. Once the utility has generated the key pair, you are prompted to enter a passphrase and then confirm it. If you want to create a passphrase-less key, press the Enter key twice without entering passphrase.
After entering a passphrase, the location and names of the private and public keys are displayed. For example:
Private key saved to /home/username/.ssh2/id_rsa_2048_a
Public key saved to /home/username/.ssh2/id_rsa_2048_a.pub
Creating the identification file on the client
The identification file contains pointers to the private key files that may be used for public key authentication. Follow these steps to create the identification file for the private key on the client:
- Change directories to the .ssh2 directory in your home directory.
- Use the following command to create a file named identification with the IdKey information as its contents:
echo IdKey <keyname> >> identification
echo IdKey id_rsa_2048_a >> identification
This command writes the IdKey key word and the name of the file containing the private key to the identification file. If the identification file does not exist, it will be created.
Uploading the Public Key to the Server
Once the key pair is created, upload the public key to the server. When transferring the key, be sure to use binary mode.
- Use the command sftp user@host to connect to the OpenSSH server using password authentication (the default).
- Change directories to the .ssh directory in your home directory.
Note: If the .ssh directory does not exist in the /$HOME directory, create it.
- Transfer the public key file you just created (using the Reflection SSH UNIX Client) to the OpenSSH Server by using this command:
Replace <keyname>.pub with the name of the public key you created, for example:
- Use the quit command to close the sftp connection.
Converting the public key
The public key format supported by OpenSSH servers is OpenSSH, which is not compatible with Reflection's default public key format.
Now that you have uploaded the public key to the OpenSSH server, you must convert the public key format from SecSH (the format generated by the Reflection SSH client) to OpenSSH (the format supported by OpenSSH servers) and write it to the authorized_keys file. To do this, follow these steps:
- Use the command ssh user@host to establish a terminal session using password authentication to connect to the OpenSSH server.
- Change to the .ssh directory in your home directory.
- Use the following command to convert the key to OpenSSH format and append the key to the authorized_keys file. Replace <keyname>.pub with the name of your public key:
ssh-keygen âi -f <keyname>.pub >> authorized_keys
ssh-keygen âi âf id_dsa_2048_a.pub >> authorized_keys
Note: Use the >> symbol to append to the authorized_keys file. The > symbol will overwrite the file contents. If the authorized_keys file does not exist, it will be created.
Command switches used:
||Convert IETF SecSH to OpenSSH key file
||Filename of the key file
You should now be able to connect with SSH, SFTP, or SCP from the UNIX system running the client to the UNIX system running the server without being prompted for a password.
If you have trouble connecting, check the troubleshooting suggestions listed below.
Setting server permissions
Verify that the file permissions on the server are configured properly. Setting the $HOME/.ssh directory to 744 and the authorized_keys file to 600 will allow key authentication to work. For more information about permissions, see KB 7021756: Understanding UNIX and NFS Permissions.
Verify that public key authentication is enabled
On the OpenSSH server:
Verify that the server configuration file, sshd_config, includes the following entries:
Verify that the public key was uploaded and converted properly
The public key should be uploaded to the user's .ssh directory on the OpenSSH server. Verify that the public key was converted into the authorized_keys file. The authorized_keys file should have an entry similar to the following: