The lines I included where the ones that I changed in the default /etc/ssh/sshd_config file. Although the "UsePam=Yes" line is the same, the other changes disable user/password authentication, so PAM is just used to check that the account exists and enforces limits on the user.
You create a key pair on the client machine using the "ssh-keygen" program. This creates a public and a private key in ~/.ssh/. If you generate an RSA key pair they will be called ~/.ssh/rsa_id and ~/.ssh_id.pub. The ~/.ssh_id.pub is the public key.
Here is a sample public key (id_rsa.pub) that I generated for this post. The ssh-keygen program asked for a keyphrase which I included as well. This keyphrase will scramble the private key so that it can only be unlocked and useable after entering the keyphrase. You will be prompted for it at the client when you use ssh to connect to any server.
Code:
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAynpqS6uWZSM7G2+Rx+02YJ+mfrSWkqbMlHYllfaRCohagv/y+FX7MFQfV0J4R0dwGcAua15jn0Xmk7yA+QAN0PczjdL/PHQwpOtNLoLm2w2rXkm5EVEtJzLzcrfA71VJE4B9v2VDTA2cABJ16l0wX8OcBJM1Yk8PP5/x2nBowyDCdPFcgGjnTzSW/Gu4nuwOQbt2/Y8Mk7YIHPO+PrXUJidx07r30/hwtqp/eIbtSvUNn/bHJnApluAjoqWpadXOYM8L363FmbF/Eo7KeaGfVpBR/ELHFTalLtk2w1HBPN3YKFDS6JRO3qU7rDJHHqerFmRZinqF6z9zPD+yqMleTw== jschiwal@hpamd64
In my case I would log into a server named "hpmedia". So I need to log into hpmedia and add this key (id_rsa.pub) to the authorized keys file:
Code:
cat >>.ssh/authorized_keys id_rsa.pub
Notice that at the end of the public key is the name of the user and the hostname of the client.
Next I would edit the /etc/ssh/sshd_config file on the server (hpmedia) and make the changes I listed in my last post. Then I would restart the sshd daemon on the server.
---
If your client is a windows machine, I would recommend installing Cygwin/X. This will install an X server and a bare bones unix like system that can run Linux scripts, console programs and the fvwm2 windows manager. Using this you can run gui programs remotely on the server and have them displayed on your local X server display.
Another option is to use putty. Putty has a puttygen.exe ( I got the name wrong in the last message ) program. You can use this program to run a keypair in putty. The files will have a .ppk extension. You can use this program to generate a private and public key pair in windows and then save the key. If you already have a key pair generated you can click on "Load Private Key". There is a line at the top of the dialog that says:
Public key for pasting into OpenSSH authorized_keys file:
The public key is displayed. Highlight and copy the public key and save it into a scrap file. Add that key to the end of the ~/.ssh/authorized_keys file on the server.
---
Now when you log in from your client (such as a laptop) to the server (the Ubuntu server), The client (laptop) will use it's private key (~/.ssh/id_rsa) to send a message to the server. The server will only be able to decode this message by using the public key that you added to the ~/.ssh/authorized_keys file. Without the public key, the private key won't make any sense and the authentication will fail.
---
If you use a passphrase ( which I highly recommend ) you will need to enter the passphrase at the client to unlock the private key before using it. It can be a pain to do this every time you log in to a remote server. You can do this once using two programs, ssh-agent and ssh-add. You run this at the console before logging in, like this:
Code:
eval $(ssh-agent)
ssh-add
You will be prompted to the passphrase. It will be held securely in memory and used to unlock the private key everytime you log into an ssh server.
Suppose someone steals the files from your laptop! They now have your key pair (very bad). But because it is passphrase protected, they can't unlock the private key without your passphrase. The only way to unlock the private key is by brute force, trying different passphrases.
Good Luck!