HP OpenVMS Systems Documentation

Content starts here

Setting Up Public-Key Authentication

  Table of Contents

  Glossary

  Index

Public-key authentication requires the following configuration actions on the client and server host sides of the connection.

  1. Create public-private key pairs on the client host.

  2. Install your public key in your accounts on all server hosts to which you want to connect. Your user account on each server host might have many public keys for accessing it in different ways.

Setting Up Public-Key Authentication on the Client

  1. Edit the client configuration file by setting the value of the AllowedAuthentications keyword to include the word publickey. For example:

    AllowedAuthentications publickey, password

  2. From the user account, run the SSH_KEYGEN utility, as described in Chapter 7. This action creates the public private key file. The default public key file name is [username.SSH2]ID_DSA_2048_A.

    The file contains your private key, which you must protect so that only you can access it. To protect the file, use the DCL command SET FILE/PROTECTION. For example:

    $ SET FILE/PROTECTION=(S,W,G,O:RW) ID_DSA_2048_A.

    The [username.SSH2]ID_DSA_2048_A.PUB file contains your public key, which you can copy to other hosts. Ensure that this file is available for world read access.

  3. Create a file named [username.SSH2]IDENTIFICATION. The IDENTIFICATION. file identifies your private-key file. For example, add the following line to the IDENTIFICATION. file if the name of your private-key file (as generated by the SSH_KEYGEN utility) is ID_DSA_2048_A:

    IdKey       ID_DSA_2048_A

    The IDENTIFICATION. file tells the client which private keys are available for use in authenticating the server.

Using SSH_KEYGEN to Rename Public-Key Files

If you need multiple keys, use the SSH_KEYGEN utility to rename the public key files to be used with a particular SSH server host. Rename the public key files to file names in the following format: username-serverhostname.PUB.

Use the following format for the private key: username-serverhostname.

This convention makes it easier to copy designated public key files to the appropriate server hosts. For example, assume that the public and private key files have been either generated as or renamed to the file MEUSER-MYHOST_MYDOMAIN_COM.*. Create a file called [username.SSH2]IDENTIFICATION. and add a line that identifies the name of your private key. Add the following line to the IDENTIFICATION. file:

IdKey MEUSER-MYHOST_MYDOMAIN_COM

For more information about the SSH_KEYGEN utility, see Chapter 7.

Setting Up Public-Key Authentication on the Server

  1. Set the value of the AllowedAuthentications parameter in the server configuration file to include the word publickey. For example:

    AllowedAuthentications publickey

  2. Create the subdirectory [username.SSH2] (if it does not exist).

  3. Create the [username.SSH2]AUTHORIZATION. file.

  4. Add entries to the [username.SSH2]AUTHORIZATION. file as necessary. Each entry is a single line that identifies the user's client public key file name. The format of the entry is:

    KEY username-hostname.PUB

    For example, if the user's public key file name is MEUSER-MYHOST_MYDOMAIN_COM, add the following line to the AUTHORIZATION. file:

    KEY MEUSER-MYHOST_MYDOMAIN_COM.PUB

  5. Copy the public key file to the server in the user's [username.SSH2] directory. Make sure the file is protected properly (/PROTECTION=(S:WRED,O:WRED,G:RE,W:R)).