KEY AUTHENTICATION
Mark Bradshaw
Last Updated March 27, 2002
-------------------------

NOTE:
-----
This information has not been updated for the newest versions of OpenSSH.  It is out of date, and in parts incorrect.  Please try setting up key authentication exactly as you would for a *nix machine, and only refer to this if that doesn't work.

Step 1: Key Generation:
-----------------------
Key Authentication relies on a unique public/private key pair that you create for the user logging into the server.  You do this using the ssh-keygen command packaged with OpenSSH on Windows.  To use it simply open up a command prompt and type ssh-keygen -t rsa, ssh-keygen -t rsa1, or ssh-keygen -t dsa.  If you get an error that the command is not recognized then your path isn't set corretly to include the correct directory.  In that case either move to the [INSTALL DIRECTORY]\ssh directory and issue the command there, or modify your PATH to include that directory.

Ssh-keygen will walk you through the process of creating the keys.  It's best to allow it to save your key pair in your home directory, since the client will look for them there.  If your home directory isn't set right you might get a bizarre path (like //.ssh).  In this case please refer to the readme for instructions on correctly setting up your [INSTALL DIRECTORY]\etc\passwd file.

When it asks for a password, leave it empty.  Otherwise you will have to enter that password every time you use the key, which is probably not what you want.

If it asks you to overwrite already existing keys then you will probably want to cancel.  If you already have a key pair created there's no need to create a new pair.  Just use the one's that already exist.  

The end result will be a public private key pair saved in your [HOME DIRECTORY]\.ssh directory.  For RSA/SSH1 keys you'll find a pair of files called identity and identity.pub.  For DSA/SSH2 keys you'll find a pair of files called id_dsa and id_dsa.pub.


Step 2:  Migrate the Public Key
-------------------------------
Next you need to get your public key to the server, in the correct location.  Use ssh to connect to your server as the USER you will be logging in AS.  When you log in you will be put into that user's home directory.  The location where you need to place the public key is a subdirectory of your home directory called .ssh.  This directory may or may not already exist.  If it doesn't exist yet create it.  If you're on a windows server you'll need to do this via the command line using the md command.  

Now, note this [HOME]\.ssh directory, since you'll be moving your public key into it.  Depending on your conditions you have many different options for moving the file.  You might use windows file sharing, or scp to move the file.  Keep in mind a couple of things.  1) Only move the public key (ends in .pub).  The private key should never leave the client computer.  
2)  If you're moving from unix <-> windows watch for cr/lf conversion issues.  Open the file on the server side and look for a ^M character at the end of the file.  Remove it if it exists.  
3)  Don't remove your public key from your client.  If you want to setup key authentication on another server you will need to use the same public key.


Step 3:  Insert Key into Authorized_keys
-------------------------------------------
The public key must go into [HOME]\.ssh\authorized_keys.  If this file already exists then append your public key to the end of it.  If it doesn't exist then just rename your public key file to the correct authorized_keys file name.


Step 4:  Fix the Passwd File
----------------------------
Note:  This step may no longer be necessary in versions 3.0.1 and higher.

THIS STEP IS FOR OPENSSH ON WINDOWS SERVERS ONLY!  Don't do this if your setting up key authentication on a unix server.  You need to modify the [INSTALL DIRECTORY]\etc\passwd file to fix a permissions issue.  Find your server side username (not the client username) and change its UID to 0.  If this doesn't work try changing it to 500.


Step 5:  Fix the Sshd_config File
---------------------------------
THIS STEP IS FOR OPENSSH ON WINDOWS SERVERS ONLY!  Don't do this if your setting up key authentication on a unix server.  Add the following line to your [INSTALL DIRECTORY]\ssh\sshd_config:
StrictModes		no


Step 6:  Restart the Server
---------------------------
Note:  This step may no longer be necessary in versions 3.0.1 and higher.

Again, this is for OpenSSH on Windows servers only.  Stop the OpenSSHd service, kill any sshd.exe processes left, and restart the service.


Step 7:  Rinse, Lather, Repeat
------------------------------
You can use the same key pair on other servers to enable key login on many servers.  You don't need to recreate keys.  In fact, if you do recreate your keys in the future it'll break any current key authentication that you have setup.  Be careful of this.  


Final Notes:
------------
You'll need to change permissions for the user's [HOME DIRECTORY]\.ssh directory so that only the user and SYSTEM has access to the files.

If you're doing key authentication from an SSH1 client only then you'll need to edit the [INSTALL DIRECTORY]\ssh\sshd_config file so that the line reading:
	RSAAuthentication	No
reads
	RSAAuthentication	Yes
Also note that the public key will go in a file called authorized_keys, not authorized_keys2.

If you choose to use RSA keys you should change the Protocol line in sshd_config that is equal to "2" by default.  Make it equal to "2,1" and restart the service.