One of OpenSSH’s great features is ssh public key authentication. For those of you who are as lazy as I am, and don’t want to type in and remember all kinds of different passwords for different hosts, it is the solution.
I’m not going to explain here what public key authentication is and why you would want to use it for increased security. If you want to know (and you should), just read Dave Aaldering’s SSH with Keys HOWTO. What I am going to explain, is how to get it to work seamlessly on Mac OS X.
First, I’m going to explain how to get the authentication to work in a client/server configuration. If you already know how to do this, and are just interested in the Mac OS X specific part, skip to the end :)
Key generation and exchange
Since Mac OS X is just like any other UNIX, this should be basic knowledge.
Generating keys for the client (your Mac)
client:~ user$ mkdir ~/.ssh # if it doesn't exist client:~ user$ chmod 700 ~/.ssh client:~ user$ ssh-keygen -q -f ~/.ssh/id_rsa -t rsa Enter passphrase (empty for no passphrase): … Enter same passphrase again: …
This will generate a public/private key pair. Needless to say, the private key (~/.ssh/id_rsa) should be kept private at all times, and the public key (~/.ssh/id_rsa.pub) is meant for distribution. Let’s do that right now.
Distributing the key to the server
In my example, the server is a Linux system. Any other UNIX running OpenSSH will do fine.
First, we copy the key from your Mac to the server using SCP:
client:~ user$ scp ~/.ssh/id_rsa.pub email@example.com:~
This will put the key in your homedir.
Next, we SSH to the server, and add our key to the list of authorized keys:
user@server:~$ mkdir ~/.ssh #if it doesn't exist user@server:~$ chmod 700 ~/.ssh user@server:~$ cat ~/id_rsa.pub >> ~/.ssh/authorized_keys user@server:~$ chmod 600 ~/.ssh/authorized_keys user@server:~$ rm ~/id_rsa.pub
Now we have basic public key authentication working. Test it by typing in (on the client):
client:~ user$ ssh -o PreferredAuthentications=publickey server.example.edu
You should be prompted for your passphrase and it should work :)
Integrating into Mac OS X
Having verified that the previous steps worked, we’ve created a situation where instead of all kinds of different passwords, you have to type in a generic passphrase for every new connection. While this certainly is a nice improvement, it still isn’t that easy to use.
Fortunately, Mac OS X already has a great feature for managing your keys: the keychain. The next step is to get this keychain to keep our SSH keys as well.
First, download and install SSHKeychain. This nifty little tool will act as a gateway to Mac OS X’s keychain.
Next, run SSHKeychain, and go into it’s preferences. In the “Environment” tab, check the “Manage (and modify) global environment variables” tickbox. This is required for ssh to be able to find the application later.
In the “SSH Keys” tab, ensure your Key Location is listed (/Users/yourname/.ssh/id_dsa).
For extra convenience, add SSHKeychain to your Login Items. Open “System Preferences”, go to “Accounts” and open the “Login Items” tab.
You will now have to re-login, to make the global variables work and have SSHKeychain popup every time you try to SSH to a server that has your public key!
As a final step, you can finetune Mac OS X’s keychain settings for extra security.