6 Public key authentication

Both telnet and ftp use the usual password authentication. SSH, however, can use public key authentication. This is based on key-pair encryption methods. Let us assume that we have two hosts. officeboy is the host that I am physically using, and homer is the machine that I want to control remotely.

For public key authentication to work, I need first generate a key pair on the controling host. In this example, it is officeboy. This can be done easily using the following command:

This generates two files. ~/.ssh/id_rsa is a private key file, and it should stay local to officeboy all the time. ~/.ssh/id_rsa.pub is a public key file to match the private key. This file can be copied to other computers.

After the key pair is generated, then the next step is to send the public key to homer. This can be done by FTP, or scp. I use the following command to do this:

This command copies the public key of officeboy to a file at ~/.ssh on homer called id_rsa.officeboy. Next, log in to homer (using password authentication), and execute the following command:

This command appends the contents of ~/.ssh/id_rsa.officeboy to the file ~/.ssh/authorized_keys. This file, authorized_keys, stores the public keys of each host that can connect to homer using the account username. Therefore, this command enables officeboy to use the user name username to authenticate to homer.

After everything is set up, then all future connections to homer using username do not prompt for a password!

Public key authentication is very useful when password authentication is not possible. For example, if there is a cron job on officeboy that requires a connection to homer, then public-key authentication enables the connection to be completely automatic, and without any chance of releasing the password because it needs to be stored in some file.

Combined with a feature called sudo, public-key authentication can be used to safely perform privileged operations remotely by a cron job.