On public keys in this class:

I need you SSH public key to give you access to an OpenSolaris machine. The alternative is generating some password for you and then insisting that you change it, or generating a random password; however, asymmetric crypto is much nicer.

Generate your public key in your UNIX account with

ssh-keygen -t dsa -f cs108 

This will create your keypair of a public (cs108.pub) and private (cs108) keys. A secure key should have a password to protect it, so that an attacker would not be able to use it by merely acquiring the contents of the private key file -- running a keylogger or tracing your process as you type the key would be required to also get your password. This password need not have anything in common with your UNIX password. Check with

ls -l cs108*

that your private key is not readable to anyone but yourself (and the root on that machine, of course, or to whoever manages to intercept the NFS transactions with the private key file).

-rw------- 1 sergey misc 672 Apr 8 15:09 cs108
-rw-r--r-- 1 sergey misc 621 Apr 8 15:09 cs108.pub

Send me your public key. Of course, you can choose any other name that is convenient for you (it is not encoded anywhere inside the key).

To log in to your account when it's ready, I recommend the follwing method. Using it, you will need to enter your password that accompanies the key (if any) only once, when adding the private key to the ssh-agent's keychain).

1. Make sure that ssh-agent(1) is running

ps x | grep ssh-agent



should show you if it's there. When adding the key, the ssh-add command needs to talk to ssh-agent (whose function is to keep the cached key and supply it to ssh or scp as needed), and the SSH_AUTH_SOCK variable hold the name of the socket through which they communicate.

If ssh-agent is not running, start it and paste the variables it prints back to the shell. On our department systems ssh-agent is started automatically by your X session.

2. Add your private key to ssh-agent with ssh-add (you can check which keys are already added with "ssh-add -l"). You will be asked for your password, if entered during key creation.

ssh-add cs108

3. ssh to your new account (instructions will follow). You will not be requested to enter your password (if ssh-agent is running, the shell and therfore ssh/scp knows about it via SSH_AUTH_SOCK, and the public key has been placed (as one line, no linebreaks) into your remote account where the remote sshd knows to look for it, e.g., your ~/.ssh/authorized_keys file. This is especially useful with scp.

If your key-based authentication failed, then you will fall back to password auth... You can see ssh's debug output with -vvv option, but you will need the sshd daemon log from the remote machine for the full picture of what went wrong.

Notice that modern OpenSSH versions are quite strict in their requirements to the location on keys, and will not use a private key that is world-readable, group-readable, or located in a group-readable or writable directory (check you keys directory, normally .ssh, with "ls -ld .ssh" for its permissions). This is the usual reason why key-based authentication fails.