SSH relies on the knowledge of a slight amount of data stored by the user. SSH is based on RSA-encryption, and like all public-key systems, the user needs both a public and private key to use the system; as well, SSH needs a random number generator seed, which is user-specific. The ssh-keygen program generates this data for the user; ssh-keygen generates the following files:
This is the user's public key. It's not necessary to keep it secret.
This is the user's private key. As such, it should not be given out to others, and should have the appropriate permissions. It is protected by the passphrase given to ssh-keygen.
This is the random number generator seed. It should be kept secret.
A sample session with ssh-keygen looks like the following
[~] % ssh-keygen Initializing random number generator... Generating p: ................................++ (distance 528) Generating q: ...++ (distance 50) Computing the keys... Key generation complete. Enter file in which to save the key (/home/jsled/.ssh/identity): <RETURN> Enter passphrase: <user-entered passphrase> Enter the same passphrase again: <same user-entered passphrase> Your identification has been saved in /home/jsled/.ssh/identity. Your public key is: 1024 37 570995861311744913699852643840495620503105177916202595981143078740421447 07234725107032716031313676352354759768729079333048192564496060745735388393675040 48251376663323088994798943255485136598021692118911541230193385758280090695891602 5590978882896036684032728595904115093929448135894970165679059780624183271411 jsled@josh.asynchronous.org Your public key has been saved in /home/jsled/.ssh/identity.pub |
The data for the local machine has been created. The same should be done for all accounts from which the user would like to use SSH. In effect, a separate identity (public/private key pair) is created for each account.
The public key is then copied by the user to the remote machine, where is it placed in the file ~/.ssh/authorized_keys; this file can be made public since it only consists of public keys. The file controls access to account on the remote machine. It works in a manner similar to the ~/.rhosts file, since it defines a list of identities which have access to the system. However, it is fundamentally secure, whereas .rhosts (and the whole rlogin/rcp/rsh mechanism) is not. The easiest way to copy this data between machines is to use copy-and-paste and cat, IMHO. ftp, rcp or ssh can also be used to do this.