Setting Up Public-Key Authentication
Public-key authentication requires the following configuration actions
on the client and server host sides of the connection.
Create public-private key pairs on the client host.
Install your public key in your accounts on all server hosts
to which you want to connect. Your user account on each server host might
have many public keys for accessing it in different ways.
Setting Up Public-Key Authentication on the Client
Edit the client configuration file by setting the value of
the AllowedAuthentications keyword to include the word publickey.
AllowedAuthentications publickey, password
From the user account, run the SSH_KEYGEN utility,
as described in Chapter 7. This action
creates the public private key file. The default public key file name is [username.SSH2]ID_DSA_2048_A.
The file contains your private key, which you must protect so that only
you can access it. To protect the file, use the DCL command SET FILE/PROTECTION.
$ SET FILE/PROTECTION=(S,W,G,O:RW) ID_DSA_2048_A.
The [username.SSH2]ID_DSA_2048_A.PUB file
contains your public key, which you can copy to other hosts. Ensure that this
file is available for world read access.
Create a file named [username.SSH2]IDENTIFICATION.
The IDENTIFICATION. file identifies your private-key file. For example, add
the following line to the IDENTIFICATION. file if the name of your private-key
file (as generated by the SSH_KEYGEN utility) is ID_DSA_2048_A:
The IDENTIFICATION. file tells the client which private keys are available
for use in authenticating the server.
Using SSH_KEYGEN to Rename Public-Key Files
If you need multiple keys, use the SSH_KEYGEN utility to rename the
public key files to be used with a particular SSH server host. Rename the
public key files to file names in the following format: username-serverhostname.PUB.
Use the following format for the private key: username-serverhostname.
This convention makes it easier to copy designated public key files
to the appropriate server hosts. For example, assume that the public and private
key files have been either generated as or renamed to the file MEUSER-MYHOST_MYDOMAIN_COM.*.
Create a file called [username.SSH2]IDENTIFICATION. and
add a line that identifies the name of your private key. Add the following
line to the IDENTIFICATION. file:
For more information about the SSH_KEYGEN utility, see Chapter
Setting Up Public-Key Authentication on the Server
Set the value of the AllowedAuthentications parameter
in the server configuration file to include the word publickey.
Create the subdirectory [username.SSH2]
(if it does not exist).
Create the [username.SSH2]AUTHORIZATION.
Add entries to the [username.SSH2]AUTHORIZATION.
file as necessary. Each entry is a single line that identifies the user's
client public key file name. The format of the entry is:
For example, if the user's public key file name is MEUSER-MYHOST_MYDOMAIN_COM,
add the following line to the AUTHORIZATION. file:
Copy the public key file to the server in the user's [username.SSH2]
directory. Make sure the file is protected properly (/PROTECTION=(S:WRED,O:WRED,G:RE,W:R)).