SSH login with a certificate (OSX)

One of the most convenient ways to login to a server with SSH, is with certificates. Although the principle is pretty well documented all over the internet, I still found some issues setting it up myself from my Mac, hence this walk through.

I have tried to make a simple, condensed walk through. It does require that you know what SSH is and how to use it.

(I also created Windows/PuTTY walk through)

This example sets up certificates to login to the server strelitzia.net with the userID jeroen. This is not possible. So do not bother to try to hack you way into this system, as I cannot SSH into it at all. It is used as an example for you and myself.

You NEED to change only two things. Every time you read ‘stelitzia.net’ you should replace it with your own server. Every time you read ‘jeroen’ you should use your own userID. Be careful not to change anything else!

You start by opening a terminal. (If you don’t know how to do this, this tutorial is not for you!)

Type this command to create a key:

ssh-keygen -b 2048 -C jeroen-2048 \
 -f ~/.ssh/jeroen2048.key -t rsa

ssh-keygen is the OSX application to create keys. In this example we created a 2048 bit key (-b 2048) with a comment ‘jeroen-2048’ (-C jeroen-2048). This comment is displayed when you need to provide the keys password. We create the file with the key (-f ~/.ssh/jeroen2048.key) in the subdir .ssh in your homedir. We actually create two files: your private key, which should be remain secret at all cost, and a public key, which can be shared with theoretically anybody (it will be named jeroen2048.key.pub). Finally we create keys with the RSA algorithm (-t rsa).

Be sure to use a pretty good password for the private key. Some people skip the password as they would not gain any conveneince by merely substituting their login password for their private key password, but as our password will be kept conveniently in the OSX keychain, we could easily protect it with a proper password!

Next step is to copy the public key to the server. This can be done in ‘one line’:

ssh jeroen@strelitzia.net \
 "echo `cat ~/.ssh/jeroen2048.key.pub` \
 >> ~/.ssh/authorized_keys"

Please be aware that you need to provide your ‘normal’ password for the server, and not the new, certificate password! You are merely logging in with SSH, still without certificates. Probably for the last time! So make sure you logout of your server again.

This command opens a Secure SHell and appends your public key to the authorized keys on the server.

In principle you are done. But we do one more step to make it even more convenient.

We are going to create a config file to store all settings of your ssh connections. These four lines are sufficient, but there are plenty of options to make fully utilize ssh:

vi ~/.ssh/config
Host strelitzia
HostName strelitzia.net
User jeroen
IdentityFile ~/.ssh/jeroen2048.key

Each entry in this config file starts with Host (so you can create multiple connections). This is not fully true, if you read the manual, but is enough to remember to make it work! The Host is an alias, so you can write whatever you want. The HostName is the official address you want to connect to. The user is the userID to open the connection for and the IdentityFile is your private key.

After all this is done, you can simply login with

ssh strelitzia

(See I used the alias?)

You will be prompted once by the OSX KeyChain app to provide the password for your private key and you will be logged in. The next time your password will be provided by the KeyChain app, if you make it save your password.

One final note: changing to certificates is not only for convenience as I might have led you to believe in this article. It also creates a stronger authentication, but you need to remove password authentication from your sshd-configuration on your server.


4 responses to “SSH login with a certificate (OSX)”

  1. […] also created a Mac OSX walk through) This example sets up certificates to login to the server stelitzia.net with the userID jeroen. […]

  2. great stuff. I was looking for it at http://www.marcel.com

  3. That is why I said that it might be preferable to hold the update until
    all the devices are ready.

  4. Noma Cabiles says:

    My spouse and i got really comfortable that Michael could complete his research through the ideas he gained in your web site. It’s not at all simplistic to simply continually be giving out techniques which usually some others could have been trying to sell. Therefore we discover we have the website owner to thank for that. Those explanations you have made, the simple blog navigation, the relationships you help to engender – it’s mostly superb, and it is leading our son and our family imagine that this subject matter is pleasurable, and that is extraordinarily indispensable. Thanks for all the pieces!

Leave a Reply

strelitzia.net