Public key authentication
In public key authentication, the scheme is based on public key cryptography, using cryptosystems where encryption and decryption are done using separate keys, and it is not feasible to derive the decryption key from the encryption key. Each user creates a public/private key pair for authentication purposes. The server knows the public key, and only the user knows the private key. ssh implements public key authentication protocol automatically, using one of the following algorithms: RSA, DSA or ECDSA. Protocol version 1 is restricted to using only RSA keys, but protocol version 2 can use any.
The ~/.ssh/authorized_keys
file lists the public
keys that are permitted for logging in. When the user logs in, ssh tells
the server which key pair it would like to use for authentication.
The client proves that it has access to the private key and the server
checks that the corresponding public key is authorized to accept the
account.
One method of creating a key pair is by running
ssh-keygen. This action stores the private key in
~/.ssh/identity
(), ~/.ssh/id_dsa
( DSA),
~/.ssh/id_ecdsa
( ECDSA), or ~/.ssh/id_rsa
( RSA) and stores the
public key in ~/.ssh/identity.pub
(protocol version 1),
~/.ssh/id_dsa.pub
protocol version 2 DSA), ~/.ssh/id_ecdsa.pub
protocol version 2 ECDSA), or ~/.ssh/id_rsa.pub
(protocol version 2 RSA) in the
user's home directory. The user then copies the public key to the
~/.ssh/authorized_keys
file in the home directory on the remote machine. The
authorized_keys
file corresponds to the conventional ~/.rhosts
file, and has one key per line, though the lines can be very long. After this, the user can log in
without giving the password.
Another method of creating a key pair is by using digital certificates associated with a SAF key ring, either real or virtual. See Steps for setting up user authentication when using key rings to store keys for more information about using SAF key rings to manage your keys.
A variation on public key authentication is available in the form of certificate authentication: instead of a set of public/private keys, signed certificates are used. This has the advantage that a single trusted certification authority can be used in place of many public/private keys. See Certificates for more information.
The most convenient way to use public key or certificate authentication might be with an authentication agent. See ssh-agent for more information.