= I'm pretty sure this is obsolete =
mire, at least, doesn't allow key-based ssh authentication.  See ["Kerberos"] for something similar.

= Setting up key-based ssh authentication =
Note: This is totally optional.  Some people prefer password-based authentication (the default).  In order to continue with these instructions, you must already be able to authenticate with a password.

There are two ways to assure our servers that you are really ''you'' so that you can login.  You can tell them your secret password each time, or you can have your ssh client identify you, more or less automatically, using a unique key.

Go [http://nwps.ws/pub/Security/SSH-Authentication_A_Basic_Overview.txt here] to read more, especially toward the bottom concerning keys vs. passwords.

'machineSERV' is the name of our server[[BR]] 'machineCLI' is the name of your local machine with a full ssh2 implementation

== For Unix-ish clients (use OpenSSH) ==
From machineCLI, as the user that connects to machineSERV: [[BR]] {{{ ssh-keygen -t dsa }}}

 * Note: you can use RSA key instead of DSA if you prefer (RSA may be faster to connect though slower to generate; security level is considered the same). To do this, replace every occurence of "dsa" by "rsa" in these instructions.  See ["DSAvsRSA"] for more info. 

When the keygen program asks for a passphrase, enter a multi-word phrase that you can remember or write in a safe place.  This passphrase encrypts your private key on the hard drive, protecting it from being read by even the root user.  You will also get a public key, that you can (metaphorically) hand out to people like a business card.  If they decide to trust you, you can just call up and flash them your business card and (after some behind-the-scenes verification) they'll let you in.

''Your public key is useless for any sort of exploit or attack without the accompanying private key.  Your public key cannot fall into the wrong hands, as anyone who stores it is basically inviting '''you''' to knock on '''their''' door and not the other way around. ''

''Your private key, on the other hand, must be kept secure and should not be displayed or stored.  The passphrase that ssh-keygen prompts you for is used to encrypt your private key, the result of which is stored on the hard drive.  For ssh to use your private key, the passphrase must be supplied in order to decrypt it.  ssh never transmits your private key anywhere; it is only used locally to decrypt an sshd challenge.''

ssh-keygen will have created two files: id_dsa and id_dsa.pub in ~/.ssh/[[BR]] id_dsa is your private key, and id_dsa.pub is your public key[[BR]]

Next, you'll want to copy your public key over to machineSERV. (notice that, in the copy process, we will rename the local id_dsa.pub to machineCLI_dsa.pub on the remote side, so as not to conflict with machineSERV's *own* public key)[[BR]] {{{ scp ~/.ssh/id_dsa.pub machineSERV:~/.ssh/machineCLI_dsa.pub }}}

Then ssh over to machineSERV [[BR]] {{{ ssh machineSERV }}}

Now your account on machineSERV has your business card from machineCLI.  In order to accept it, we have to place its contents into ~/.ssh/authorized_keys.  A .ssh directory ought to already exist, but if it doesn't, then {{{ ssh-keygen -t dsa }}} and follow the first part of the instructions above.  [[BR]]Regardless, append your public key to the authorized_keys file: [[BR]] {{{ cat machineCLI_dsa.pub >> ~/.ssh/authorized_keys }}}

Give it a try and make sure it works (from machineCLI): [[BR]] {{{ ssh machineSERV }}}

Your ssh client should ask you for a passphrase instead of your usual password.  Type in your passphrase and make sure you can authenticate.  If not, start over or just delete your newly created keys.

Let's verify some file permissions for ~/.ssh/ on machineCLI:

{{{
~/.ssh/  drwx------  (chmod 700)
~/.ssh/authorized_keys  -rw-------  (chmod 600)
~/.ssh/id_dsa  -rw-------  (chmod 600)
~/.ssh/machineCLI_dsa.pub  -rw-r--r--  (chmod 644)
~/.ssh/known_hosts  -rw-r--r--  (chmod 644)
}}}
OK.  This is fine and dandy, but every time we use the private key, we need to decrypt it by entering the passphrase, which can get tedious.

Luckily, a full ssh2 implementation includes a handy program called ssh-agent.  You can tell ssh-agent your passphrase at the beginning of a login session on machineCLI.  Then, for the rest of that session, any time you need to ssh to our servers (or anywhere else), ssh-agent will deliver the private key for you.

But wait! There's more...

There is another program, written by Daniel Robbins of Gentoo fame, called [http://www.gentoo.org/proj/en/keychain.xml keychain] that will remember your key until you reboot machineCLI.

Install keychain on machineCLI.  There is a package for sarge:

{{{
apt-get install keychain
}}}

 or you can get the source from [http://dev.gentoo.org/~agriffis/keychain/ Gentoo] and install: 

{{{
cd /usr/local
wget http://dev.gentoo.org/~agriffis/keychain/keychain-2.6.1.tar.bz2
bunzip2 keychain-2.6.1.tar.bz2
tar -xvf keychain-2.6.1.tar
cd keychain-2.6.1
install -m0755 keychain /usr/bin/keychain
}}}
next, add some keychain commands to ~/.bash_profile on machineCLI:

{{{
keychain id_dsa
. ~/.keychain/machineCLI-sh
}}}
Log out of machineCLI and then back in.  keychain should cause ssh-agent to ask for your passphrase.  Once you've done that, you shouldn't have to enter your passphrase again until reboot.  Then {{{ ssh machineSERV }}} and marvel that machineSERV didn't ask you for a password!

Next, you'll probably want to redo this process, but from machineSERV to machineCLI.  Luckily, the keychain program is already installed on machineSERV, so just follow this process again, except switch the machines.

=== For MS-Windows clients (use PuTTY and PuTTYgen/Pageant) ===
[[http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html get PuTTY here]] 
 * PuTTY is the client
 * PuTTYgen is for onetime key generation
 * Pageant is a tiny long-running process that remembers your private key -- analogous to keychain for unix

==== Basic steps: ====
 * Generate a public/private keypair
 * The private key stays on machineCLI, and the public key goes on machineSERV
 * Encrypt the private key using a passphrase
 * Append your public key to machineSERV:~/.ssh/authorized_keys
 * Configure PuTTY to authenticate using your private key
 * Once this is done, you can now log in using keys instead of passwords, though you still need to decrypt your private key every time using the passphrase
 * Configure Pageant to remember your passphrase

For visual learners, take a look at Howtoforge's [http://www.howtoforge.com/ssh_key_based_logins_putty Key-Based SSH Logins With PuTTY].

==== Detailed instructions: ====
Run PuTTYgen.  In the bottom pane, Parameters, choose SSH2-DSA, and then click Generate.  The program will ask you to move the mouse around for injection of randomness.  Then, the top pane will show your public key.  Copy this text to the clipboard (ctrl-C).  Keep PuTTYgen open.

The text copied to the clipboard should be in the following general format: the text 'ssh-dss' followed by a single space, then a long seemingly-random string of ascii printable characters, then a single space, and finally the text 'dsa-key-YYYYMMDD' where YYYYMMDD represents today's date.  There should be no newlines at all.

Next, we need to add this public key to machineSERV:~/.ssh/authorized_keys.  Log in to machineSERV using PuTTY and enter your password as normal.  Load ~/.ssh/authorized_keys using an editor such as vi, emacs, pico, etc.  Place the cursor at the last empty newline and paste your public key (right-click ?) into authorized_keys such that the public key is appended to the file.  Save this file and log out of machineSERV.

Switch back to PuTTYgen and enter and confirm your passphrase (in the 'Key' pane).  Click on Save Private Key, and remember the location where you save it.

Next, close and reload PuTTY.  If you have already saved a session, highlight it, then click Load to load its configuration.  Otherwise, enter 'hcoop.net' into the Host Name field near the top, type a descriptive name (like hcoop or fyodor) into the Saved Sessions field, and then click Save.

Now, with the hcoop connection loaded, open up the SSH tree under Connections in the left pane.  Under Auth, enter the location of your private key file in the bottom field.  Click on Session (toplevel) in the left pane, and then Save in the right pane, to save this configuration.

Double-click the newly-configured connection to attempt a connection.  You should be asked for a login and passphrase.  If you can successfully authenticate, the last step is to run Pageant so that we can skip the passphrase.

When you run Pageant, you should have an icon in your systray.  Double-click this icon and click Add Key.  Browse for your saved private key, enter your passphrase, and you're done.  Try reloading the hcoop connection to confirm that you can login without a passphrase.

For one final trick, prepend your username to the hostname field of the connection (e.g. username@hostname.com ), and PuTTY will only require a double-click for you to login.