SSH with PKI Authentication


download (1639 KB)


The document describes the configuration of Linux SSHD and Public/Private Key authentication with Putty's remote console. The document does not explain the wherabouts but gives a straight ahead route to success.


Creating the Keys - Serverside

For demonstration purposes we use the rsa algorithm. You may use the same syntax for dsa.

login as root at your Server.

[root@server ~]# ssh-keygen -t rsa
[root@server ~]# Enter file in which to save the key :   yourname_rsa
[root@server ~]# Enter passphrase (empty for no passphrase):    ENTER A PASSPHRASE!!
[root@server ~]# Enter same passphrase again:                             ENTER A PASSPHRASE!!
[root@server ~]# Your identification has been saved in yourname_rsa
[root@server ~]# Your public key has been saved in 
[root@server ~]# The key fingerprint is: 

Please check if the directory /etc/ssh/.ssh exists. If not create it and chmod 700

[root@server ~]# cat >> /etc/ssh/.ssh/authorized_keys

Unfortunately the sshd uses a file, not a directory,  for the public keys, therefore we have to add the key to this standardfile.


Creating the Keys - Clientside

Copy yourname_rsa (the private key) to your client. Grab the attached putty and winscp package (You may use this remote directory on an USB-Stick, sessions can be stored on the stick and not in the clients registry)

With the attached puttygen.exe import yourname_rsa and save it as yourname_rsa.ppk

NOW the Key is ready to use with putty and winscp.


The sshd_config File

Please use this preconfigured  sshd_config File for /etc/ssh. Rename the original file to sshd_config.SRC and KEEP IT.

The configs:

restart your sshd (On RedHat systems with service sshd restart)

Connect with putty and supply your privatekey.
If authentication is possible

login as: root
Authenticating with public key "imported-openssh-key"
Passphrase for key "imported-openssh-key":

When logged in, change the settings of the /etc/sshd_config to:

#PasswordAuthentication yes
PasswordAuthentication no

# UsePAM yes
UsePAM no

Restart the sshd with service sshd restart

Congratulations - you are done.


[ top ]