[Contents] [Index]

About This Document >>     Installing SSH Tectia Server >>     Getting Started >>     Configuration >>     Authentication >>         Server Authentication with Public Keys >>         Server Authentication with Certificates >>         User Authentication with Passwords         User Authentication with Public Keys >>             Client Configuration             Server Configuration             Optional Configuration Settings         User Authentication with Certificates >>         Host-Based User Authentication >>         User Authentication with Keyboard-Interactive >>         User Authentication with GSSAPI >>     Application Tunneling >>     Troubleshooting >>     Man Pages     Advanced Options >>     Log Messages >>

Client Configuration

The following steps assume that ClientUser is allowed to log in to Server as ServerUser using some other authentication method (usually password).

Keys Generated with ssh-keygen2

In order to set up user public-key authentication, do a manual setup according to the following instructions.

1. To enable user public-key authentication on the client, make sure the AllowedAuthentications keyword in the ssh2_config file on Client contains the argument publickey:

   AllowedAuthentications publickey

   Other authentication methods can be listed in the configuration file as well.

2. Create a key pair by executing ssh-keygen2 on Client.

   Client> ssh-keygen2
   Generating 2048-bit dsa key pair
      1 oOo.oOo.o
   Key generated.
   2048-bit dsa, user@Client, Wed Mar 22 2002 00:13:43 +0200
   Passphrase : 
   Again :
   Private key saved to  /home/user/.ssh2/id_dsa_2048_a
   Public key saved to   /home/user/.ssh2/id_dsa_2048_a.pub
   

   ssh-keygen2 will now ask for a passphrase for the new key. Enter a sufficiently long (20 characters or so) sequence of any characters (spaces are OK). ssh-keygen2 creates a .ssh2 directory in your home directory (if it is not already present), and stores your new authentication key pair in two separate files. One of the keys is your private key which must never be made available to anyone but yourself. The private key can only be used together with the passphrase. In the example above, the private key file is id_dsa_2048_a. The other file id_dsa_2048_a.pub is your public key, which can be distributed to other computers. By default, ssh-keygen2 creates a DSA key pair. RSA keys can be generated by specifying the -t flag with ssh-keygen2.

   Client> ssh-keygen2 -t rsa    
   Generating 2048-bit rsa key pair
      2 oOo.ooOo.oOo
   Key generated.
   2048-bit rsa, user@Client, Wed May 02 2002 14:15:41 +0300
   Passphrase : 
   Again      : 
   Private key saved to /home/user/.ssh2/id_rsa_2048_a
   Public key saved to /home/user/.ssh2/id_rsa_2048_a.pub
   

3. Create an identification file in your ~/.ssh2 directory on Client.

   Client> cd ~/.ssh2
   Client> echo "IdKey id_dsa_2048_a" > identification
   

   You now have an identification file which consists of one line that denotes the file containing your identification (your private key). For special applications, you can create multiple identifications by executing ssh-keygen2 again. However, this is not usually needed. Alternatively, you can specify the private key to use with the command-line option -K or the IdentityKeyFile configuration option in ssh2_config. If multiple keys are specified, the client will offer first the keys specified with the option -K or IdentityKeyFile, and after that the keys in the identification file.
4. Copy your public key (id_dsa_2048_a.pub) to your ~/.ssh2 directory on Server.
5. Create an authorization file in your ~/.ssh2 directory on Server. Add the following line to the authorization file:

   Key     id_dsa_2048_a.pub
   

   This directs SSH Tectia Server to use id_dsa_2048_a.pub as a valid public key when authorizing your login. If you want to login to Server from other hosts, create a key pair on the hosts (steps 1 and 2) and repeat steps 3, 4, and 5 on Server. (Remember to specify a different file name for each key pair.)
6. Now you should be able to login to Server from Client using SSH Tectia Client. Try to login:

   Client>ssh Server
   Passphrase for key "/home/user/.ssh2/id_dsa_1024_a
   with comment "2048-bit dsa, created by user@Client 
   Wed Mar 22 2002 00:13:43 +0200":
   

   After you have entered the passphrase of your private key, a Secure Shell connection will be established.

Using Keys Generated with OpenSSH

SSH Tectia Client and Server can use keys generated with OpenSSH.

The OpenSSH keys can be configured the same way as described above in steps 3-5 for keys generated with ssh-keygen2.

If the user has an existing OpenSSH authorized_keys file, the ssh-keygen2 tool can be used to import the OpenSSH authorized_keys file and to configure the authorization file, for example:

SERVER> ssh-keygen2 --import-ssh1-authorized-key 
$HOME/.ssh/authorized_keys $HOME/.ssh2/authorization

Imported key /home/user/.ssh/authorized_keys:1 to 
/home/user/imported-437b1a07-1.pub and added to authorization file 
/home/user/.ssh2/authorization
Imported key /home/user/.ssh/authorized_keys:2 to 
/home/user/imported-437b1a07-2.pub and added to authorization file 
/home/user/.ssh2/authorization

Alternatively, the administrator of SSH Tectia Server may enable AuthorizedKeysFile in the server configuration file /etc/ssh2/sshd2_config, for example as follows:

AuthorizedKeysFile %D/.ssh/authorized_keys

SSH Tectia Server will check the defined AuthorizedKeysFile in addition to the user's AuthorizationFile (by default authorization). Note that the AuthorizationFile has precedence over AuthorizedKeysFile if the same key is defined in both.

Keys Generated with ssh-keygen1

SSH Tectia Server enables the use of keys generated with ssh-keygen1. However, the keys must be converted from the SSH1 format to SSH2 format.

$ ssh-keygen2 -1 <keyname>.pub 
Successfully converted public key to <keyname>.pub_ssh2
$ ssh-keygen2 -1 <keyname>     
Passphrase : 
Successfully converted private key to <keyname>_ssh2