SSH public key authentication on Mac OS X

One of OpenSSH’s great features is ssh public key authentication. For those of you who are as lazy as I am, and don’t want to type in and remember all kinds of different passwords for different hosts, it is the solution.

I’m not going to explain here what public key authentication is and why you would want to use it for increased security. If you want to know (and you should), just read Dave Aaldering’s SSH with Keys HOWTO. What I am going to explain, is how to get it to work seamlessly on Mac OS X.

First, I’m going to explain how to get the authentication to work in a client/server configuration. If you already know how to do this, and are just interested in the Mac OS X specific part, skip to the end :)

Key generation and exchange

Since Mac OS X is just like any other UNIX, this should be basic knowledge.

Generating keys for the client (your Mac)

client:~ user$ mkdir ~/.ssh         # if it doesn't exist
client:~ user$ chmod 700 ~/.ssh
client:~ user$ ssh-keygen -q -f ~/.ssh/id_rsa -t rsa
Enter passphrase (empty for no passphrase): …
Enter same passphrase again: …

This will generate a public/private key pair. Needless to say, the private key (~/.ssh/id_rsa) should be kept private at all times, and the public key (~/.ssh/id_rsa.pub) is meant for distribution. Let’s do that right now.

Distributing the key to the server

In my example, the server is a Linux system. Any other UNIX running OpenSSH will do fine.

First, we copy the key from your Mac to the server using SCP:

client:~ user$ scp ~/.ssh/id_rsa.pub user@server.example.com:~

This will put the key in your homedir.

Next, we SSH to the server, and add our key to the list of authorized keys:

user@server:~$ mkdir ~/.ssh       #if it doesn't exist
user@server:~$ chmod 700 ~/.ssh
user@server:~$ cat ~/id_rsa.pub >> ~/.ssh/authorized_keys
user@server:~$ chmod 600 ~/.ssh/authorized_keys
user@server:~$ rm ~/id_rsa.pub

Now we have basic public key authentication working. Test it by typing in (on the client):

client:~ user$ ssh -o PreferredAuthentications=publickey server.example.edu

You should be prompted for your passphrase and it should work :)

Integrating into Mac OS X

Having verified that the previous steps worked, we’ve created a situation where instead of all kinds of different passwords, you have to type in a generic passphrase for every new connection. While this certainly is a nice improvement, it still isn’t that easy to use.

Fortunately, Mac OS X already has a great feature for managing your keys: the keychain. The next step is to get this keychain to keep our SSH keys as well.

First, download and install SSHKeychain. This nifty little tool will act as a gateway to Mac OS X’s keychain.

Next, run SSHKeychain, and go into it’s preferences. In the “Environment” tab, check the “Manage (and modify) global environment variables” tickbox. This is required for ssh to be able to find the application later.

In the “SSH Keys” tab, ensure your Key Location is listed (/Users/yourname/.ssh/id_dsa).

For extra convenience, add SSHKeychain to your Login Items. Open “System Preferences”, go to “Accounts” and open the “Login Items” tab.

You will now have to re-login, to make the global variables work and have SSHKeychain popup every time you try to SSH to a server that has your public key!

As a final step, you can finetune Mac OS X’s keychain settings for extra security.

One Response to “SSH public key authentication on Mac OS X”

  1. Tony Mann says:

    Having read about 20 other posts, yours was the first one to carefully explain what authorized_keys was and where it goes. Thank you!