MacSSH SSH2 Key Exchange How-to

by Marion Bates <mbates at>
with much help from William Stearns <wstearns at>
Latest revision: January 25, 2002

NOTE: The methods here work for MacSSH 2.1fc2 on MacOS 9.1, connecting to a remote system running OpenSSH_3.0.2p1 OR the commercial SSH server software (I tested it with SSH Secure Shell 2.3.0). For other distributions, your mileage may vary.

First, make a key pair for MacSSH. If you've already done that and are confident
about it, skip to step 8.

1. Install MacSSH.

2. Go to Favorites menu and select Edit Favorites.

3. Make a new Favorite and in the General tab, enter an Alias and Hostname.

4. Under Security, make sure Protocol is set to ssh2, and enter your username in the Username field, but do NOT enter a password or any other information.

5. Under the SSH2 tab, hit the Initialize SSH... button.

6. In the windows that pops up, make sure Key Type is set to DSA (RSA is used for SSH1, which you want to avoid for security reasons.) Also make sure that the NIST level is set to the highest (8 - 1024 bit primes). Make sure the value of Label matches your username and the host address you are connecting from (the username is automatically filled in using whatever you have set for Owner Name in File Sharing, which may not match your login name, so watch out). Make sure "Encrypt private key" is checked.

7. Hit Create. If MacSSH complains that it can't overwrite existing key files, then you have already done this before. :) Unless you're sure they've been generated with the correct parameters, go into System Folder -> Preferences -> MacSSH and delete "identity" (your private key) and "" (your public key) and start over with the Initialize SSH button.

8. When it's finished generating keys and asking for your passphrase (the VERY SECURE password you will use to unlock your private key -- it should NOT be the same as your password on the remote host!) then hit the Export Public Key button (right below "Initialize SSH...").

9. Save the exported key somewhere where you can find it again.
Now for the actual public key installation.

10. Open up a terminal (SSH please :) to the machine you want to connect to, using the usual password authentication method. This is the last time you'll need to do that, if all goes well.

11. Take the exported public key you made ("") and somehow transfer it to the host machine. IMPORTANT: There are several ways to do this. You can open up an SFTP or SCP connection to the same host and upload "" that way (ASCII text, not binary!), or you open the file on your Mac (use something that won't try to mangle/spellcheck/etc, like BBEdit or Simpletext) and select all and copy it to the clipboard, then on the host, type the following:

cat > pubkey.txt <hit return>

<paste the clipboard contents into the terminal window>

<hit return and then ctrl-d>

Now you have a file called pubkey.txt which contains your public key. But there's still more to do.

12. In your home directory, there should be a .ssh directory (if not, make one.) cd to this directory.

13. If the server is running commercial SSH, skip to step 15. If there is an authorized_keys2 file, make a backup copy of it. In your terminal, type the following:

ssh-keygen -f /path-to/pubkey.txt -X >> ~/.ssh/authorized_keys2

(NOTE THE DOUBLE GREATER-THAN SIGNS -- this will APPEND your key to the authorized_keys2 file, if it exists, and will create it if it doesn't. If you use only one greater-than sign, and there is already an authorized_keys2 file, it will overwrite all the existing keys! If that happens, restore authorized_keys2 from the backup you made.)

14. This step may not be necessary at all, but I had to do it on my system. In
.ssh, do the following:

ln -s authorized_keys2 authorized_keys

This creates "authorized_keys" which is a symbolic link to the authorized_keys2 file. But this may break SSH version 1 and you probably don't want to do it if there is already an authorized_keys file. Please email me if you can clarify this.

15. For a commercial SSH server, you do not need to run the ssh-keygen command; the file generated by MacSSH is already in the proper format. The remote copy of this key file can have any name as long as it's in the .ssh2 directory on the remote machine. For our example we will call it There needs to be a file called ~/.ssh2/authorization, and it must have a line which says:


16. Make sure the .ssh directory and its contents, and your home directory, are
all owned by you. In this example, your username is egoldstein:

chown egoldstein ~ ~/.ssh ~/.ssh2 ~/.ssh/* ~/.ssh2/*

17. Change the modes of the directories and files as follows:

chmod 700 ~ ~/.ssh ~/.ssh2
chmod 600 ~/.ssh/* ~/.ssh2/*

18. Log out and select the Favorite you made in steps 2-4. MacSSH should ask for your passPHRASE (the one you entered when you created your key pair) and you should then be logged in. It should NOT ask you for your passWORD on the remote host. If it does, then something went wrong with the key authentication process. If you have the access privileges to do so, check the logs for error messages (/var/log/messages, /var/log/secure, or /var/log/auth.log, maybe elsewhere -- check /etc/ssh/sshd_config to see where it's logging to). If that doesn't give you any insight, try repeating the process above, maybe you missed a step. If that fails, find a guru. :)