Configuring a Public/Private Key Pair

What is a Public/Private Key Pair?

In the example of an SSH connection between two machines, a public/private key pair can be used to authorize the connection. To set it up, a pair of keys is generated: one is public and can be shared and one is private and should never be shared. Anyone (or any system) with a copy of the public key can use it to encrypt data that can only be decrypted by the individual holding the private key. To authorize SSH connections using a key pair, the public key is added to a file that is read by the SSH server which authorizes the connection only if the corresponding private key is presented.

Generating and configuring your Public/Private Key Pair

1) Log into a MathLAN workstation and open the Terminal application.

2) Create your private .ssh directory. At the command-line prompt, type these commands:

$ mkdir ~/.ssh
$ chmod 700 ~/.ssh
$ cd ~/.ssh

3) Generate your public and private key pair. The following command will generate two files: (the public key) and id_rsa (the private key). When prompted to enter a passphrase for the private key, you can choose to enter a passphrase or to create the key with no passphrase. Obviously, no passphrase is a little more convenient, but less secure. It is strongly recommended that you create a passphrase for your private key. If you enter a passphrase for the private key, you’ll need to use that passphrase to load the private key so that it can be used. This isn’t as inconvenient as it sounds. It is easy (and still secure) to configure a machine to ask for the passphrase only when the key is first loaded to be presented to the server and not for every attempted connection. (Learn more about loading private keys into the ssh agent.) To generate your key pair, issue this command:

$ ssh-keygen -t rsa

4) Add your public key to your ~/.ssh/authorized_keys file. the authorized_keys file within your .ssh directory is the file the SSH program will use to authorize the connection. At the command-line prompt, type these commands to add the contents of your public key file to the authorized_keys file:

$ cat >> ~/.ssh/authorized_keys
$ chmod 644 ~/.ssh/authorized_keys

5) Copy your private key to the machine from which you’d like to initiate an ssh connection. The file itself can be copied any number of ways, it is essentially just a text file. The exact process will be determined by what type of computer you’ll be using. Here are instructions for a Mac using the Terminal application and a Windows PC using the PuTTY application. You’ll need to complete these steps while connected to the Grinnell College wireless network (not Grinnell College Guest) or while on a wired network connection on campus.

5a) MAC Instructions

Copy the private key to your Mac via scp: At the prompt in the Terminal application, use the following command to copy the private key from your MathLAN home directory to your Mac home directory, then change its permissions so it can only be read by you:

$ scp [your-grinnell-username] ~/.ssh/id_rsa
$ chmod 600 ~/.ssh/id_rsa

Quit and restart the Terminal application on your Mac so that the private key will be added to the ssh-agent. Alternatively, use this command to manually add the key to the ssh-agent:

$ ssh-add ~/.ssh/id_rsa

5b) Windows PC Instructions (with PuTTY already installed)

Use the pscp utility to copy your private key to your Windows PC. Run the cmd program and move into the directory where the pscp utility is located:

C:\\> cd "Program Files (x86)\PuTTY"

Copy your private key to your Windows PC:

C:\\Program Files (x86)\PuTTY> pscp [your-grinnell-username][username]/.ssh/id_rsa C:\\Users\\[username]\Documents\id_rsa

Next, follow these instructions (specifically the section titled Use Existing Public and Private Keys) to import your private key to be used in PuTTY.

6) After adding your public key to your authorized_keys file in your MathLAN home directory and adding your private key to your SSH application on the computer you’ll use to initiate the connection, you should be able start a SSH connection to without entering your Grinnell College password. You will be prompted for Duo authentication.

Questions and Feedback

If you have comments or questions about configuring your key pair for SSH connections, please reach out to Mike Conner at [connerms].