≡ Menu

Comprehensive Guide for SSH2 Key based authentication setup

I explained previously how to Perform SSH and SCP without entering password on openSSH. In this article, I’ll explain how to setup the key based authentication on SSH2 and perform SSH/SCP without entering password using the following 10 steps.
1. Verify that the local-host and remote-host are running SSH2. Please note that ssh and scp is a symbolic link to ssh2 and scp2 respectively as shown below.

[local-host]$ ls -l /usr/local/bin/ssh /usr/local/bin/scp
lrwxrwxrwx  1 root root 4 Mar 10 22:04 /usr/local/bin/scp -> scp2
lrwxrwxrwx  1 root root 4 Mar 10 22:04 /usr/local/bin/ssh -> ssh2
[local-host]$ ssh -V
ssh: SSH Secure Shell (non-commercial version) on i686-pc-linux-gnu

[remote-host]$ ls -l /usr/local/bin/ssh /usr/local/bin/scp
lrwxrwxrwx  1 root root 4 Mar 10 22:04 /usr/local/bin/scp -> scp2
lrwxrwxrwx  1 root root 4 Mar 10 22:04 /usr/local/bin/ssh -> ssh2
[remote-host]$ ssh -V
ssh: SSH Secure Shell (non-commercial version) on i686-pc-linux-gnu

2. Generate key-pair on the local-host using ssh-keygen2. Typically ssh-keygen will be a soft-link to the ssh-keygen2 as shown below.

[local-host]$ ls -l /usr/local/bin/ssh-keygen
lrwxrwxrwx  1 root root 11 Mar 10 22:04 /usr/local/bin/ssh-keygen -> ssh-keygen2

[local-host]$ ssh-keygen
Generating 2048-bit dsa key pair
2 oOo.oOo.oOo.
Key generated.
2048-bit dsa, jsmith@local-host, Sat Jun 21 2008 23:10:20 -0700
Passphrase :<Enter the passphrase>
Again      :
Private key saved to /home/jsmith/.ssh2/id_dsa_2048_b
Public key saved to /home/jsmith/.ssh2/id_dsa_2048_b.pub

The public key and private key are stored in .ssh2 folder under your home directory. In this example, it is under /home/jsmith/.ssh2. You should not share the private key with anybody.

By default the ssh-keygen2 generates DSA key pair. You can also generate RSA key pair using: ssh-keygen -t rsa command.
3. Giver proper permission to the .ssh2 directory as shown below.

[local-host]$ chmod 755 ~/.ssh2/
[local-host]$ chmod 644 ~/.ssh2/id_dsa_2048_b.pub
[local-host]$ chmod 644 ~/.ssh2/authorization

4. Identify the private-key on the client machine. On the local-host, add the private key to the SSH2 identification file as shown below. If the identification file not present, create a new file. If the file is present, append the private key file-name that is generated from the above step to the identification file in the “IdKey {private-key file-name}” format as shown below.

[local-host]$ cat /home/jsmith/.ssh2/identification
IdKey id_dsa_2048_a
IdKey id_dsa_2048_b

5. Copy the public key to remote-host.

Copy the /home/jsmith/.ssh2/id_dsa_2048_b.pub file from the local-host to the remote-host /home/jsmith/.ssh2/id_dsa_2048_b.pub.  You can perform a vi /home/jsmith/.ssh2/id_dsa_2048_b.pub on the remote-host and copy the content of the public key from the local-host.

[remote-host]$ cat /home/jsmith/.ssh2/id_dsa_2048_b.pub
Subject: jsmith
Comment: "2048-bit dsa, jsmith@local-host, Sat Jun 21 2008 23:10:\
20 -0700"


6. Create authorization file on the remote-host as shown below. This autorization file should contain the name of the public key that was copied from local-host to remote-host as mentioned in the previous step. Please note that the format of this file is “Key {public-key file-name}“.

[remote-host]$ cat /home/jsmith/.ssh2/authorization
Key id_dsa_2048_b.pub

7. Login from the local-host to remote-host using the SSH2 key authentication to verify whether it works properly.

[local-host]$ ssh -l jsmith remote-host <You are on local-host here>
Passphrase for key "/home/jsmith/.ssh2/id_dsa_2048_b" with comment "2048-bit dsa, jsmith@local-host, Sat Jun 21 2008 23:10:20 -0700": <Enter your passphrase here>
Last login: Sat Jun 21 2008 23:13:00 -0700 from
No mail.
[remote-host]$ <You are on remote-host here>

There are two ways to perform ssh and scp without entering the password:

  1. No passphrase. While creating key pair, leave the passphrase empty. Use this option for the automated batch processing. for e.g. if you are running a cron job to copy files between machines this is suitable option. You can skip the next step steps for this method.
  2. Use passphrase and SSH Agent. If you are using ssh and scp interactively from the command-line and you don’t want to use the password everytime you perform ssh or scp, I don’t recommend the previous option (no passphrase), as you’ve eliminated one level of security in the ssh key based authentication. Instead, use the passphrase while creating the key pair and use SSH Agent to perform ssh and scp without having to enter the password everytime as explained in the steps below.

8.  Start the SSH Agent on local-host to perform ssh and scp without having to enter the passphrase several times.

[local-host]$ ssh-agent $SHELL

9. Load the private key to the SSH agent on the local-host.

[local-host]$ ssh-add
Adding identity: /home/jsmith/.ssh2/id_dsa_2048_b.pub
Need passphrase for /home/jsmith/.ssh2/id_dsa_2048_b (2048-bit dsa, jsmith@local-host, Sat Jun 22 2008 23:10:20 -0700).
Enter passphrase: <Enter your passphrase here>

10. Perform SSH or SCP to remote-home from local-host without entering the password.

[local-host]$<You are on local-host here>

[local-host]$ ssh -l jsmith remote-host
Last login: Sat Jun 07 2008 23:03:04 -0700 from
No mail.
<ssh did not ask for passphrase this time>
[remote-host]$ <You are on remote-host here>

Please leave your comments and feedback regarding this article. If you like this post, I would really appreciate if you can subscribe to The Geek Stuff.

If you enjoyed this article, you might also like..

  1. 50 Linux Sysadmin Tutorials
  2. 50 Most Frequently Used Linux Commands (With Examples)
  3. Top 25 Best Linux Performance Monitoring and Debugging Tools
  4. Mommy, I found it! – 15 Practical Linux Find Command Examples
  5. Linux 101 Hacks 2nd Edition eBook Linux 101 Hacks Book

Bash 101 Hacks Book Sed and Awk 101 Hacks Book Nagios Core 3 Book Vim 101 Hacks Book

{ 11 comments… add one }

  • Siddharth June 26, 2008, 1:30 am

    Looks like you are a great coder 😉

  • Ajay June 26, 2008, 3:24 am

    this blog content is perfect for a software developer
    can pariticipate with you in this blog to share my Microsoft technologies exp.

  • narendra.s.v June 26, 2008, 7:31 am

    this is what my bro(may be love this) is look for! thanks for the share

  • Ramesh June 26, 2008, 9:44 am


    Thanks for the nice compliment. Linux is one of my passion and I’ve done intensive work on it.


    I’ll get in touch with you to figure out the details of how you can write articles about microsoft technologies at the geek stuff.


    I’m glad this guide was helpful for you.

  • Anonymous July 15, 2008, 11:16 pm

    the permissions should be 700 instead of 744 and 600 instead of 644
    easier to send the public key with ssh-copy-id
    example: ssh-copy-id -i .ssh/id_dsa.pub user@host
    then try it:
    ssh user@host

  • Frank Foehrenbach April 8, 2009, 9:58 am

    In step 5, you change the name of the file when you copy it. Is there a reason for this or was this just a typo? Thanks for this info. It was helpful. I will be subscribing to your website.

    5. Copy the public key to remote-host.

    Copy the /home/jsmith/.ssh2/id_dsa_2048_b.pub file from the local-host to the remote-host /home/jsmith/.ssh2/id_dsa_1024_b.pub. You can perform a vi /home/jsmith/.ssh2/id_dsa_1024_b.pub on the remote-host and copy the content of the public key from the local-host.

  • Ramesh April 10, 2009, 5:01 pm


    Thanks for your feedback. I also wrote another article where it talks about how to use ssh-copy-id to perform the passwordless login.
    Thanks a lot for pointing it out. it was a typo. But, even with that typo that scenario would’ve worked, as you can name the public-key file anything you want, as long as the name is same on step#5 and step#6.
    I’ve updated the document accordingly to reflect the proper file name in step#5 and step#6.

  • Mst May 27, 2009, 9:46 am

    I am executing ssh-keygen2 on Local, which is running Solaris 7 . The command never “exits”

    [/home/xxx]: ssh-keygen -b 2048
    Generating 2048-bit dsa key pair
    3 o.oOo.oOo.o

    The number on the last lines keeps moving from 1 to 2 to 3 …. but the key is never generated. Any ideas?

  • Shanker March 28, 2011, 11:13 pm

    Excellent Work..Thanks you..

  • ketan March 12, 2012, 4:09 am

    Great Post. Could you tell if I am given ssh2 rsa public key to add to my server, do I need to necessarily have ssh2 installed and running. I don’t find .ssh2 directory under my home, just only .ssh.

  • yogarajan March 21, 2014, 4:38 am

    How to do the key exchange for the ssh version shown below:

    ssh: /opt/tectia/bin/sshg3

    sshg3: SSH Tectia Client 6.1.8 on x86_64-unknown-linux-gnu
    Build: 136

    ssh-keygen: /opt/tectia/bin/ssh-keygen-g3


    ssh–> /opt/tectia/bin/sshg3

    sshg3: SSH Tectia Client 6.1.4 on x86_64-unknown-linux-gnu
    Build: 83

    keygen–> /opt/tectia/bin/ssh-keygen-g3

    i tried the same step mentioned above, but its not working..

Leave a Comment