Editing
SSH:Authorized Keys
(section)
Jump to navigation
Jump to search
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
=== Setting up an authorized_keys file === Once you've created your key pair, you can insert the public half of it into your authorized_keys file on computer "X". A client on computer "Y" that knows the private key can then authenticate to your account on computer "X". So, on the machine you want to log into, you should add a line to your <code>~/.ssh/authorized_keys</code> file that contains exactly the single line that was created in the <code>filename.pub</code> file (for whatever choice of "filename" you made). For example, we might wind up with a <code>.ssh/authorized_keys</code> file that looks like: <pre> ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAybmcqaU/Xos/GhYCzkV+kDsK8+A5OjaK 5WgLMqmu38aPo56Od10RQ3EiB42DjRVY8trXS1NH4jbURQPERr2LHCCYq6tHJYfJNhUX /COwHs+ozNPE83CYDhK4AhabahnltFE5ZbefwXW4FoKOO+n8AdDfSXOazpPas8jXi5bE wNf7heZT++a/Qxbu9JHF1huThuDuxOtIWl07G+tKqzggFVknM5CoJCFxaik91lNGgu2O TKfY94c/ieETOXE5L+fVrbtOh7DTFMjIYAWNxy4tlMR/59UVw5dapAxH9J2lZglkj0w0 LwFI+7hZu9XvNfMKMKg+ERAz9XHYH3608RL1RQ== This comment describes the key </pre> except that I have deliberately split the single long line to make it more readable. <h3>Making an ssh connection using a private key</h3> On the machine you want to log in <em>from</em> you would run <pre> slogin -i ~/.ssh/filename remotehost </pre> (for appropriate values of "filename" and "remotehost") thus telling slogin to look in the private key file. The connection would then be made without any further authentication being necessary (although <code>slogin</code> would prompt for a passphrase if the private key were protected by one. <h3>authorized_keys: restricting access</h3> What we have described above allows any remote host where the private key is known to make any kind of ssh connection (login, remote command execution, port forwarding, etc.) to the computer on which the <code>authorized_keys</code>. There are a number of things that can be done in an authorized_keys to further restrict access. These are all arranged by prefixing the line containing the public key by a single "phrase" of comma-separated options (see below for an example of what this winds up looking like) <h4>Host access list</h4> If the options phrase at the beginning of a line contains the keyword <code>from="string"</code> this restricts the use of the key on that line to sessions that originate from hosts that match <code>"string"</code>. Examples might be <pre> from="trusted.eng.cam.ac.uk" from="*.eng.cam.ac.uk,!untrusted.eng.cam.ac.uk" from="tw?00.eng.cam.ac.uk" </pre> The hostname used will need to be the hostname reported when the IP (network) address of the connecting machine is looked up in the DNS. The <code>*</code> wildcard matches one or more characters, while the <code>?</code> wildcard matches a single character. If the connecting hostname matches an entry prefixed by '!', then it will be rejected. <h4>Forced command</h4> If the options phrase at the beginning of a line contains the keyword <code>command="string"</code>, then any ssh connection that authenticates using that particular key will <em>only</em> run the command specified, even if the command line it was given specified another command. <h4>Other options</h4> Various ssh facilities may be suppressed by adding the following options to the options phrase at the beginning of a line: <pre> no-port-forwarding,no-X11-forwarding,no-agent-forwarding,no-pty </pre> When heavily restricting an ssh key in circumstances where entirely automated remote connections are desired, it is generally a good idea to apply all of these options unless the command being run actually needs one of these facilities. <h4>Example authorized_keys file</h4> This example file has two entries. Note that there is no whitespace in the list of options; they are separated by commas, and strings are double-quoted (eg in the argument to <code>from=</code>). <pre> # # comments are ignored in authorized_keys files # from="trusted.eng.cam.ac.uk",no-port-forwarding,no-pty ssh-rsa AAAAB 3NzaC1yc2EAAAABIwAAAQEAybmcqaU/Xos/GhYCzkV+kDsK8+A5OjaK5WgLMqmu38aPo 56Od10RQ3EiB42DjRVY8trXS1NH4jbURQPERr2LHCCYq6tHJYfJNhUX/COwHs+ozNPE8 3CYDhK4AhabahnltFE5ZbefwXW4FoKOO+n8AdDfSXOazpPas8jXi5bEwNf7heZT++a/Q xbu9JHF1huThuDuxOtIWl07G+tKqzggFVknM5CoJCFxaik91lNGgu2OTKfY94c/ieETO XE5L+fVrbtOh7DTFMjIYAWNxy4tlMR/59UVw5dapAxH9J2lZglkj0w0LwFI+7hZu9XvN fMKMKg+ERAz9XHYH3608RL1RQ== This comment describes key #1 # # this one should be restricted so that only machines with hostnames # matching *.eng.cam.ac.uk can use it. # from="*.eng.cam.ac.uk",no-X11-forwarding,noagent-forwarding ssh-rsa AAAAC4MybC1yc2EAAAABIwAAAQEAybmcqaU/Xos/GhYCzkV+kDsK8+A5OjaK5WgLMqm u38aPo56Od10RQ3EiB42DjRVY8trXS1NH4jbURQPERr2LHCCYq6tHJYfJNhUX/COwHs +ozNPE83CYDhK4AhabahnltFE5ZbefwXW4FoKOO+n8AdDfSXOazpPas8jXi5bENf7he ZT++a/Qxbu9JHF1huThuDuxOtIWl07G+tKqzggFVknM5CoJCFxaik91lNGgu2OTKfY9 4c/ieETOXE5L+fVrbtOh7DTFMjIYAWNxy4tlMR/59UVw5dapAxH9J2lZglkj0w0LwFI +7hZu9XvNfMKMKg+ERAz9XHYH3608RL1RQ== This comment describes key #2 </pre> Note that in reality, such a file would only have two uncommented lines, both of them very long. <h3>If it doesn't work</h3> There are a number of reasons why key authentication might not work. <h4>Wrong keys</h4> First, check that you really have put the matching public key in the <code>~/.ssh/authorized_keys</code> file on the machine you're trying to connect <em>to</em>, and that you're telling your ssh client about the correct private key using the <code>-i</code> argument. <h4>Keys the wrong way round</h4> The public key goes in the destination host's <code>~/.ssh/authorized_keys</code> file. The private key is needed on the machine you're running ssh or slogin from. <h4>File permissions</h4> Some clients and servers are very picky about file permissions on their configuration files. Among possible objections they may have are: <ul> <li>a key file being writable by anyone other than the user (eg group-writable) <li>a private key file being readable by anyone other than the user. </ul> <h4>Wrong ssh protocol version</h4> Most ssh clients and servers support both v1.5 and v2 of the ssh protocol. Sometimes, however, they'll both decide to prefer v1.5 even though they both support v2. In such cases, your ssh-rsa key (which is v2 compliant) won't work. <em>Solution</em>: Force v2 by using the <code>-2</code> flag to ssh or slogin <pre> ssh -2 -i ~/.ssh/my_private_key remotemachine </pre> <h4>failure to use the right authentication mechanisms</h4> The client can be configured to request particular authentication mechanisms in a particular order. A non-standard local configuration file can therefore potentially lead the client to prompt for a password before in a particular ordera successful keybased authentication can occur. The following options passed to ssh or slogin should compel the client to only offer/try the key-based authentication mechanism only: <pre> ssh -2 -i ~/.ssh/my_private_key \ -o 'PasswordAuthentication no' \ -o 'ChallengeResponseAuthentication no' \ -o 'PreferredAuthentications publickey' \ remotemachine </pre>
Summary:
Please note that all contributions to NodeSpace Wiki may be edited, altered, or removed by other contributors. If you do not want your writing to be edited mercilessly, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource (see
NodeSpace Wiki:Copyrights
for details).
Do not submit copyrighted work without permission!
Cancel
Editing help
(opens in new window)
Navigation menu
Personal tools
Not logged in
Talk
Contributions
Create account
Log in
Namespaces
Page
Discussion
English
Views
Read
Edit
Edit source
View history
More
Navigation
Main page
Recent changes
Random page
Official Support
Submit Ticket
Knowledge Base
Documentation
Knowledge Spotlight
Tools
Tools
What links here
Related changes
Special pages
Page information