Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

10.5: Use public keys with SSH in 10.5 UNIX
Leopard has now a built-in support for SSH authentication with public keys.

Just open Terminal and ssh to your public-key-enabled server. A Keychain window appears, proposing you to enter the pass phrase, and then remembering it in your keychain.

Just great!
    •    
  • Currently 2.50 / 5
  You rated: 2 / 5 (8 votes cast)
 
[29,876 views]  

10.5: Use public keys with SSH in 10.5 | 15 comments | Create New Account
Click here to return to the '10.5: Use public keys with SSH in 10.5' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
10.5: Use public keys with SSH in 10.5
Authored by: elracs on Nov 05, '07 04:25:00PM

I have tried this a few times between my iMac and Powerbook (both directions) and have not gotten this to work. Perhaps I'm missing something.



[ Reply to This | # ]
10.5: Use public keys with SSH in 10.5
Authored by: VirtualWolf on Nov 05, '07 04:44:29PM

Aye, I'm unsure of what causes this to happen too. I haven't managed to get that prompt.



[ Reply to This | # ]
10.5: Use public keys with SSH in 10.5
Authored by: lincd0 on Nov 05, '07 09:54:13PM

Are you using password authentication or public-key authentication? Leopard does not save SSH passwords. It does save the password of a password-protected private SSH key.

[ Reply to This | # ]

10.5: Use public keys with SSH in 10.5
Authored by: ipearx on Nov 05, '07 05:01:30PM

This didn't work for me by default on both my FreeBSD and CentOS servers. You have to first put a public key on the servers you want to connect to.

A friend suggested the following which worked great:

  1. Open up terminal on your local Leopard machine and type: ssh-keygen -t rsa
  2. Accept the default location
  3. Type in the passphrase twice
  4. Then copy the public key to the remote server using: cat ~/.ssh/id_rsa.pub | ssh username@myserver.com "cat - >> ~/.ssh/authorized_keys"

Be sure to change username@myserver.com to your remote username and server address.

If you are doing this for multiple servers, you only need to repeat step 4 for each server.

Also check these pages for more info if you're having problems, especially if you had SSHKeyChain installed:
http://www wand.net.nz/~smr26/wordpress/2007/10/28/mac-os-x-leopard-built-in-ssh-agent/
http://ormset.no/wordpress/2007/10/28/leopard-finally-supporting-ssh-agent-at-login/

- Tim from ProMacBlog.com



[ Reply to This | # ]
10.5: Use public keys with SSH in 10.5
Authored by: vdanen on Nov 05, '07 06:12:21PM

A few corrections.

You can't simply cat the public key over to a server if you haven't created the ~/.ssh directory first. You have to create the directory first. Also, simply catting it over isn't overly smart, and you could have it refuse to use the key due to insecure permissions. You should be doing:

  1. scp ~/.ssh/id_rsa.pub user@server.com:~/
  2. ssh user@server.com
  3. mkdir .ssh && chown 0700 .ssh
  4. mv id_rsa.pub .ssh/authorized_keys && chmod 0600 .ssh/authorized_keys

And you're right, the key needs to be on the other end first, before you get this dialog because this is add the key to the running ssh-agent. If there is no pubkey negotiation, ssh-agent isn't consulted at all, you're providing a straight password to the remote sshd server.

A good primer on using OpenSSH is here: Optimizing OpenSSH [linsec.ca]. I wrote it, it's a few years old, but still really relevant for OS X or Linux (servers or clients).



[ Reply to This | # ]
10.5: Use public keys with SSH in 10.5
Authored by: vdanen on Nov 05, '07 06:19:38PM

Oh, I also forgot to mention that if you're calling ssh-agent directly from a .bashrc or similar file on terminal startup, you may also not get this prompt. You'll know whether or not this is the case by doing:

$ env | grep SSH

If you see something like SSH_AUTH_SOCK=/tmp/launch-WsBdoO/Listeners then you're using the authentication socket started by launchd (presumably when you first login), if it's something else, then you've got some hunting to do in ~/.bashrc, ~/.bash_profile, ~/.zshrc, or whatever. Shouldn't be a problem for fresh installs, but if you're like me and connected to an SSHKeychain-driven ssh-agent in Tiger, then you might have some stuff to remove in those startup files.



[ Reply to This | # ]
10.5: Use public keys with SSH in 10.5
Authored by: cryptlib on Apr 25, '09 10:07:51PM

If you have yr umask correctly set, the chmod issue isn't an issue. I use tcsh with backslash_quote on, and here's the alias that's served me quite well:

% alias skeyto
cat $HOME/.ssh/id_dsa.pub | ssh !* 'perl -e \'mkdir("$ENV{HOME}/.ssh");open(A,">>$ENV{HOME}/.ssh/authorized_keys");print(A <>)\' '

Of course, you need Perl in yr path, but who doesn't have that nowadays?

---
% kill -H -1



[ Reply to This | # ]
10.5: Use public keys with SSH in 10.5
Authored by: cryptlib on Apr 25, '09 10:14:15PM
Here's the line in my rc file, with all the nasty backslashes and quotes:
alias skeyto 'cat $HOME/.ssh/id_dsa.pub | ssh \!* \'perl -e \\\'mkdir("$ENV{HOME}/.ssh");open(A,">>$
ENV{HOME}/.ssh/authorized_keys");print(A <>)\\\' \''

---
% kill -H -1

[ Reply to This | # ]

10.5: Use public keys with SSH in 10.5
Authored by: vocaro on Nov 05, '07 08:37:09PM

Can someone please explain what exactly is "great" about this? I don't have Leopard, but I do have Tiger, which works perfectly fine with public key authentication. What exactly is different with SSH authentication in Leopard?



[ Reply to This | # ]
10.5: Use public keys with SSH in 10.5
Authored by: lincd0 on Nov 05, '07 09:48:16PM

Tiger doesn't store the password of an SSH private key in the Keychain. Leopard does.



[ Reply to This | # ]
10.5: Use public keys with SSH in 10.5
Authored by: gcallari on Nov 06, '07 04:23:47AM

The password is stored in the keychain and retrieved by the ssh program. I was not aware of this and was trying to insert my password at the prompt of the remote server!



[ Reply to This | # ]
10.5: Use public keys with SSH in 10.5
Authored by: richardl on Nov 06, '07 05:46:26AM

When you generate your key, you have the option of creating a 'Passphrase' (This is like having a password for your private key). The problem when you define a passphrase is that you need to enter it everytime you authenticate with that key. The official way around this is to use a SSH Agent which will keep your passphrase in memory (There is Native SSH support for this, I use SSHKeychain which automates this process). The purpose of the tip is that with Leopard, the author states that SSH will keep a key's passphrase in the keychain .. but like the others, I could not make this happen.



[ Reply to This | # ]
10.5: Use public keys with SSH in 10.5
Authored by: richardl on Nov 06, '07 06:35:35AM

I take it back, It does work .. I had to disable sshkeychains global variable and log off and back on. I have multiple keys .. I initially had to 'ssh -i keyname userid@host' for it to save my key in the keychain.

Thanks for the great hint



[ Reply to This | # ]
10.5: Use public keys with SSH in 10.5
Authored by: jms1 on Nov 06, '07 06:53:00PM

The difference is that the 10.5 version of "ssh" now runs a process called "ssh-agent" in the background. This process CAN, but doesn't necessarily have to, hold the actual secret keys used to authenticate to the remote servers.

If you want the agent to hold your secret key (which means you won't have to type a password OR a passphrase to access remote servers) you can run "ssh-add" in a terminal window. It will ask you for the passphrase for the key, and then add the key to the agent.

Once this is done, whenever you connect to a server, the agent uses the key (now in memory) to automatically answer the server's challenges. If the agent doesn't have the key in memory, it pops up a window on the screen, asking for the passphrase. It then uses that passphrase to read and decrypt the secret key from the disk, uses the key to answer the challenge, then wipes both pieces of information (the key and the passphrase) out of memory.

I wrote a web page a few years ago which explains the whole process in a lot more detail- it's more geared towards Linux, but the programs involved (ssh, ssh-agent, ssh-add, etc.) are the same programs. The only difference is that the OSX version of ssh-agent knows how to pop up a GUI window to prompt you for the passphrase.

One interesting thing you can do with keys is "agent forwarding". The idea is that, from your workstation, you can ssh to "machine A", and then FROM THERE you can ssh to "machine B", and from there to "machine C", and so forth... and the socket back to the ssh-agent process on your workstation is carried along for the ride, which means the "ssh" process on machine B is able to send machine C's challenge back through a "side channel" all the way back to your workstation, and have the agent compute the answer to the challenge... all without machine A knowing, or caring, what was going on.

I normally use a program called "SSHKeychain". It works as a front-end for ssh-agent, with a GUI which allows you to manually add and remove keys without having to type "ssh-add" commands. The thing I like about it is that it can be configured so that when you enter the passphrase for a key, it automatically adds that key to the agent- which means I only have to type my passphrase once when I run my first "ssh" or "scp" command in the morning, or if I have to log out or reboot.



[ Reply to This | # ]
10.5: Use public keys with SSH in 10.5
Authored by: timhaigh on Apr 26, '09 08:02:02AM

This topic of this hint is "Leopard has now a built-in support for SSH authentication with public keys. "

Tiger had support for public key authentication and so did Panther.

The difference in Leopard is that supports SACLS. You can lock down SSH even more by specifically naming a user in the sharing preferences who can login via SSH.

The other difference is that if you use a passphrase with your key then the mac stores it in the keychain.

Perhaps the hint could have been a bit more descriptive.



[ Reply to This | # ]