Skip to main content

Quickstart: SSH Public Key Infrastructure

The following quickstart was copied from

By Jim Weller

The purpose of this document is to quickly step you through using
passwordless authentication to connect to servers using the SSH2
protocol. This document is unique in that it unifies all the clients
and servers under a single identity. This document is very coarse
and expects that you'll follow along with the videos and only
use the notes as a supplement.


  1. Commercial SSH client version 3.2 or higher installed.

  2. Commercial SSH Accession agent

  3. PuTTY SSH2 Client Suite
  4. OpenSSH environment. Cygwin shown here, but Linux, Mac X, BSD, Solaris and many others apply

Video Guides

Terse Text Notes

Generating Private and Public Keys

A - Pick a strong password. You'll need to remember it because you'll type it
a couple of times during this setup and once every windows login after that.

B - Generate a key using commercial SSH.
1 edit->settings->keys->new key
Key Type: DSA
Key Length: 2048
name: dsa204_commssh
Pasword: leave blank
Comment: leave blank

C - convert the key to openssh private key format and set a password
on it. You'll have to move the key you created above to a location
where you can use ssh-keygen from the openssh package. Either cygwin
or an openssh unix box (like linux/mac) or whatever you have handy.

# convert commercialssh private to openssh private
ssh-keygen -i -f dsa1024_commercial > dsa1024_openssh
# convert openssh private to opensshpublic
ssh-keygen -y -f dsa1024_openssh >
# convert openssh public to commercialssh public
ssh-keygen -e -f >
# finally set a password on openssh private
ssh-keygen -p -N password -f dsa1024_openssh

D - go back to commercial ssh and change to the password to match.

E - Use puttygen to convert the openssh key to a putty key. Set your
password while doing it. You only need to save a private key.

Now you have 3 identical private key files with the same passphrase
for each of the three different clients. The private keys must be
kept very secure. Never share them or leave them lying around. Make a
backup copy to put in a vault, firebox, or ziploc bag.

You also have two public key files, one for each brand of server.
These are not critical files. You'll share them with the servers you
want to connect to. As shown above, you can always re-create the
public keys from the private keys.

Just remember the server gets the public key of its flavor. The client
uses the private key of its flavor.

Making the Connection

Here are all the connection combinations

c - commercial ssh
o - openssh
p - putty

Client -> Server
c -> c
o -> c
p -> c

c -> o
o -> o
p -> o

You don't have to learn all six. You just need to learn 5 things. 2
ways to put public keys on servers and 3 clients to connect using
private keys.


You have to connect to the server at least once with a password in
order to perform these operations. Very high security environments
might have someone else do this for you. Either way, you have
to have your account on the server configured to accept your
public key.

1 - OpenSSH server

connect to the server
# mkdir .ssh
# chmod 700 .ssh
# cd .ssh
copy the OpenSSH public key file and append it to authorized_keys

2 - Commercial SSH server

connect to the server
# mkdir .ssh2
# chmod 700 .ssh2
# cd .ssh2
copy the commercial ssh public key file and put it in it's own file on the server
add a line to the authorization file to reference your key


By default you have to authenticate against your key every time you
connect to a server. This is good for security because you never send
a password over the wire; just big complex key strings. It's a pain
for you though. That's why most clients have an "agent" which runs in
the background on your computer and remembers the keys you
authenticated against. It's very convenient.

COOL!: Once the ssh-agent is running. You can eject your USB keychain. The
authentication ends when either you 1 kill the agent 2 exit your windows session
(killing the agent) 3 deallocate the key from the running agent.

1 - PuTTY and Pageant
start pageant.exe
right click the icon->add key
browse for your .PPK key
select the PPK key
type the key's password
launch putty sessions to servers having the key

2 - Commercial SSH Client and Accession
start accession
click add key
browse for your dsa2048_commssh
type the key's password
launch commercial ssh sessions to servers having the key

3 - OpenSSH client, ssh-agent, and ssh-add

ssh-agent bash -login
# bash -login could be another program like X or xterm or login
ssh-add /YourUsbKeyStore/dsa2048_openssh
# type your password
# launch openssh sessions to servers having the key

Getting your public key into banner
----------------------------------- (aka Toklat) is a commercial SSH server. So all the
notes I presented earlier about commercial ssh servers still apply. differs because statewide does not give you a standard
shell like bash or csh. They give you a homegrown menu system that
keeps you in a sandbox.

S for shell commands
D for directory commands
2-y-.ssh2 to make the .ssh2 directory
1-y-.ssh2 to change to the .ssh2 directory
R to return to the main menu
4 or to edit a file with emacs or vi respectively (this is the file from the videos). Paste your commercial public key into the file
4 or 5-y-authorization add 'Key' to this file just like in the videos

You're done. You should be able to SSH in using public key
authentication. I don't know yet how this relates to you password on
glacier, but I assume you'll never need to worry about it which is
fine as this is a billion times more secure.


  1. Cool ! Thanks a lot for sharing the easy to generate public and private keys and video links too that explains the complete creation process. I am glad that I have found such an informative post.
    public key infrastructure


Post a Comment

Popular posts from this blog

More trickery with gnuplot dumb terminal

In my post "Plotting memory usage on console" the chart doesn't pan the data.
Now, using a named pipe, the effect got a little bit nicer.
First, we have to run the script to get a file filled with memory usage info:
./ > memUsage.dat &
Then we have to create a named pipe:
mkfifo pipe
Now we have to run another process to tail only the last 64 lines from the memUsage.dat
while [ 1 ]; do tail -64 memUsage.dat> pipe; done &
And now we just have to plot the data from the pipe:
watch -n 1 'gnuplot -e "set terminal dumb;p \"pipe\" with lines"'
And that is it!

uSleep on windows (win32)

I am facing a terrible issue regarding timing on windows.

Googling arround, I've found those infos:
Using QueryPerformanceCounter and QueryPerformanceFrequency APIs in Dev-C++
QueryPerformanceCounter() vs. GetTickCount()
How to time a block of code
And Results of some quick research on timing in Win32
With that I'm trying to write something like a uSleep function for windows:


voiduSleep(int waitTime){
__int64 time1 = 0, time2 = 0, sysFreq = 0;

QueryPerformanceCounter((LARGE_INTEGER *)&time1);
QueryPerformanceFrequency((LARGE_INTEGER *)&freq);
QueryPerformanceCounter((LARGE_INTEGER *)&time2);

// }while((((time2-time1)*1.0)/sysFreq)<waitTime);
}while( (time2-time1) <waitTime);

There is also already a nanosleep…

Checking auth.log for ssh brute force attacks

As I am letting my personal computer always on, as a homelinux server, I decided to check if someone is trying to breaking in with SSH brute force attacks.

First I did a grep for fail at the /var/log/auth.log. (grep -i /var/log/auth.log)

And I got lots of lines with the string "fail". With [grep -i /var/log/auth.log | wc -l] I figured out that were 1164 fail entries at auth.log

With an [grep -i fail auth.log | cut -d " " -f 6 | sort | uniq] I checked that were two kind of failed attempts:

So I wrote the following line to check with which users they were attempting to log:
grep Failed auth.log | cut -d " " -f 11 | sort | uniq | while read line ; do echo -n $line" "; grep $line auth.log | wc -l; done | sort -n -k 2

Here, the field position (the number 11 at the above command lines [-f 11]) may change in some systems. At my desktop at work, the username came at the position 9.

Here are the "top ten":
root 2922
user 2884