Public-Key Authentication for SSH1
Overview of RSA Authentication
RSA authentication uses a public-private key pair A pair of keys used with RSA or DSA authentication. The public key is usually kept in a file named Identity.pub, which is then transferred to the remote SSH server and appended to the user's authorized_keys file. Another file usually named identity contains both the public key and the corresponding private key. This file is kept on the local machine and is used by SecureCRT with public key or RSA authentication methods. to authenticate and log onto an SSH1 server A computer program that provides services to other computer programs (called clients). Often the computer on which a server program runs is also called a server. The term host is often used as a synonym for server. . It offers a higher level of authentication security than password authentication by requiring both the private key and the passphrase A password used to protect a private key from unauthorized use. It is recommended that a passphrase be assigned to all private keys to prevent unauthorized use, especially in environments where multiple individuals have access to the machine on which the private key files are stored. When using public-key authentication, a private key with an assigned passphrase will not be available if the correct passphrase is not supplied during the authentication process. that protects the private key in order to complete authentication.
Setting up RSA public-key authentication for a SecureCRT SSH1 The first version of the SSH protocol which provides a way to encrypt network traffic between a client and a server. session A session is a set of options that are assigned to a connection to a remote machine. These settings and options are saved under a session name and allow the user to have different preferences for different hosts. is a multi-step process. Identity files are first created with the SecureCRT Key Generation wizard. The identity file Identity files are two files containing the public-private key pair used to connect to an SSH server using RSA or DSA authentication. The Identity file contains the public and private key pair and is used by SecureCRT. The Identity.pub file contains only the public key which is usually appended to the authorized_keys file. is defined for global or session-specific use in the SSH1 category of the Global Options dialog or in the Connection/SSH1 category of the Session Options dialog. Then the public key is added to the authorized_keys file, which is located on the SSH1 server.
Creating Identity Files
To create an RSA identity file:
1. In the Connect dialog, select the SSH1 session with which you would like to use the identity files.
2. Open the Session Options dialog and click on the Connection/SSH1 category.
3. In the Authentication field, choose RSA as the authentication type and click on the Properties... button.
3. In the Public Key Properties dialog, select whether you want the new identity file to be global or session specific and click on the Create Identity File button.
4. Follow the instructions in the Key Generation wizard to create your identity files. Once your public-private key pair has been generated by the Key Generation wizard, you will be prompted for the path and filename in which your private key will be stored. Be sure to specify a secure location for this file such that you are the only individual with access to it. The public key will be placed in a file with the same base name as the private key file, but with an extension of .pub.
Using Your Identity Files
Once you have created your identity files, there are several steps that will need to be completed so that you can make use of them with SecureCRT. The necessary steps are 1) Transfer the public-key file (e.g., Identity.pub) to the remote machine; 2) Put the contents of the public-key file in your authorized_keys file on the remote machine; and 3) Configure SecureCRT to use the identity file with RSA authentication.
1. Transfer the identity file to the SSH server
In order to use your public key you must transfer the public-key file (with the extension .pub) created by the Key Generation wizard to the ~/.ssh/ directory on the SSH server. One of the easiest ways to transfer this file to the SSH server is to use the Zmodem file transfer feature provided by SecureCRT. If the remote machine does not have Zmodem Zmodem is a file transfer protocol that touts speed and reliability. In this terminal emulation application, it provides a mechanism for secure file transfers as long as the remote machine has Zmodem support installed. installed, you will need to use an FTP client A computer or application that uses services provided by a server. to transfer the identity file to the remote machine. Another way to transfer the identity file to the remote machine is to copy and paste the contents of the identity file. To accomplish this, use Notepad.exe to open the identity file and copy the contents of the identity file to the clipboard. On the remote machine, create a file using your favorite editor and paste the contents of the clipboard using the paste button.
2. Update the authorized_keys file on the remote machine
Once you have transferred the Identity.pub file to the remote machine, you must update the authorized_keys file on the remote machine. The following steps outline this update process.
1. Connect to the remote SSH server using SSH1 and password authentication.
2. Append the contents of the public-key file created with the Key Generation wizard to the file ~/.ssh/authorized_keys on the remote host. The default name of the public-key file is Identity.pub. Create the ~/.ssh/authorized_keys file if it does not already exist. If you want multiple authorized keys, append the contents of the public-key file to the authorized_keys file. The simplest way to do this is typically:
% cat identity.pub >> ~/.ssh/authorized_keys
(note that the name of the identity file can be different than the example)
Note on placing public keys: The format of the authorized_keys file requires that each entry consist of a single long line. If you use Copy and Paste to add a public key to the ~/.ssh/authorized_keys file, make sure that the entry contains no additional new-line characters.
3. Configure SecureCRT to use your identity files
The identity file created by the Key Generation wizard contains both your new public key and your new private key. To configure SecureCRT to use the identity file:
1. In the Connect dialog, select the SSH session with which you would like to use the identity file.
2. Open the Session Options dialog and in the Connection/SSH1 category, change the Authentication setting from Password to RSA.
3. If you have more than one identity file, you may need to click on the Properties... button and verify that the session is using the session-specific key you have created.
4. Click on the OK button to save the changes. If you supplied a passphrase when you created your key, you will be prompted to enter it during the connection process.