You probably already know how to use SSH to securely log in toremote hosts over the Web. In this article, take things a little further byusing SSH to encrypt connections to other ports as well. Scenarios coveredinclude securing your mail server connection so that your mail password isalways protected and creating secure pathways through firewalls for trustedhosts.
The procedure for using SSH-based private/public key authentication to log into a remote server is very simple. I'll explain it with an example, which assumes that the remote server is named "brutus" and the local system, or client, is named "olympus".
The first thing you need to do is generate a key pair for yourself. Log in to "olympus", and run this command from your shell:
[me@olympus] $ /usr/local/bin/ssh-keygen -t rsa
The key generator will go to work generating a key pair for you.
Generating public/private rsa key pair.
Enter file in which to save the key (/home/me/.ssh/id_rsa): Createddirectory '/home/me/.ssh'. Enter passphrase (empty for no passphrase): Entersame passphrase again: Your identification has been saved in/home/me/.ssh/id_rsa. Your public key has been saved in/home/me/.ssh/id_rsa.pub. The key fingerprint is:f6:41:99:d8:a5:d1:fb:e7:93:86:7e:e6:4f:01:d9:5b
Once the key generation process is complete, you'll be asked for a password for your private key. This is optional - you can enter a null passphrase - but recommended. Your passphrase may be any combination of letters and numbers, and can also be a complete sentence. Should you decide to change it later, simply use
[me@olympus] $ /usr/local/bin/ssh-keygen -p
Your public key will be saved to "~/.ssh/id_rsa.pub" while your private key will be located in "~/.ssh/id_rsa".
The public key may be distributed to all and sundry, and should be world-readable. The private key should not be readable by anyone but the owner. Remember that in public-key cryptography, it is not possible to deduce the private key from the public key - which is why this authentication method is so secure.
Next, you need to add this public key to the remote server. Telnet to "brutus" (the remote host), log in and create a directory in your home area named ".ssh". Within that directory, create a file named "authorized_keys" and insert the contents of your "~/.ssh/id_rsa.pub" on "olympus" into that file.
This "authorized_keys" file contains the public keys which are authorized to log in to your account on "brutus". Each key in the file should be on a separate line. Ensure that the file has 0600 permissions, while the "~/.ssh" directory has 0700 permissions.
If you don't have telnet access to the remote host, you could also upload your "id_rsa.pub" file via FTP and rename it to "authorized_keys". Alternatively, if you're trying to set this up on a restricted server, you might need to email the system administrator with your public key so that he can add it to the appropriate file.