Configuring Public Key Authentication
Written by Matt Carpenter on 25-July-02.
This requires that each user have a key on their account from which they
will be connecting (For Windows, this is handled by the SSH client, like
F-Secure's SSH Client). On a Unix box, these files (public and private
key files) will be placed probably in ~/.ssh/ and will be called id_dsa/id_dsa.pub or id_rsa/id_rsa.pub
(you want DSA). Then, on the server machine, the account they are connecting
as will have to have (basically) the contents of their id_dsa.pub in ~/.ssh/authorized_keys2
(or possibly ~/.ssh/authorized_keys).
To generate key files on a unix box running OpenSSH, type:
ssh-keygen -t dsa
You will be asked for the name of the file (just the private file. ".pub" is added onto this for the public file) and the default is generally good (dependant upon the ssh client's config - /etc/ssh/ssh_config).
You will be asked for a passphrase. If you want your users to use a password on top of DSA Keys, this is where it goes. I don't normally do this, but it depends on the security of the client machine.
Make sure the id_dsa file is in the client's ~/.ssh/ directory and the contents of id_dsa.pub is in ~/.ssh/authorized_keys2 on the server and you should be good to go.
NOTE: if your ip address or DNS name is going to be different than where you generated the keys, in id_dsa.pub, alter the end of the line accordingly, or remove "@...." to allow any machine using that userID and public key to access that account.