0

I have the private DSA key in PEM format. What do I do next to access SSH without a password?

Sample certificate in PEM format: http://ospkibook.sourceforge.net/docs/OSPKI-2.4.7/OSPKI-html/sample-priv-key.htm

uzi
  • 1
  • 1

2 Answers2

1

Ah -- I think you are confusing ssh certificates and ssl certificates.

ssh uses two forms of two main forms of two-factor authentication keys: 1) standard RSA or DSA key pairs (public, private) or 2) ssh certificates which (according to man ssh-keygen)

...consist of a public key, some identity informa- tion, zero or more principal (user or host) names and an optional set of constraints that are signed by a Certification Authority (CA) key.

it goes on to say:

Note that OpenSSH certificates are a different, and much simpler, format to the X.509 certificates used in ssl(8).

To generate a normal ssh keypair, do something like the following:

ssh-keygen -t rsa -b 2048 -f test

It is advisable to protect the private key with a password.

Then, by placing the public key (test.pub in this case) in the file ~/.ssh/authorized_keys on the target host user's login home, you should be able to login to the target host without a password if sshd is configured to allow this.

ssh -i test user@host

To generate an ssh certificate, do something like the following:

  1. ssh-keygen -f ca_key # generate a ssh keypair for use as a certificate
  2. generate a host key ssh-keygen -s ca_key -I cert_identifier -h host_key.pub
  3. specify the host key in the server's sshd config file: TrustedUserCAKeys /etc/ssh/ssh_cert/host_key.pub
  4. generate a local certificate to access the host using an ssh certificate: ssh-keygen -s ca_key -I cert_identifier user_key.pub. This should generate user_key-cert.pub

Assuming this has all proceeded properly, ssh -i user_key user@host will use the user_key-cert.pub file and login will proceed automatically (if allowed on the server). The server will log a connection from cert_identifier if so configured.

ssh certificates are a new feature and still need some usability aspects shaken out. The benefits of them include a central signing key, an alternative to constraining connections through authorized_keys and the possibility of limiting the validity timeperiods of ssh certificates.

rorycl
  • 848
  • 1
  • 6
  • 10
  • Actually, there is a patch to give ssh X.509 certificate support. See http://roumenpetrov.info/openssh/ – rorycl Apr 29 '11 at 02:03
0

This may help you - link

Or you can use ssh-copy-id user@host as well.

sybreon
  • 7,357
  • 1
  • 19
  • 19