Task - Setup Openssh client authentication

1) Login to the client host as the user alice and generate an
rsa client key pair. Use the name "identity" for the file name.
Enter a unique passphrase for the user alice.

$ ssh-keygen -t rsa -f /export/home/alice/.ssh/identity
Generating public/private rsa key pair.
Created directory '/export/home/alice/.ssh'.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /export/home/alice/.ssh/identity.
Your public key has been saved in /export/home/alice/.ssh/identity.pub.
The key fingerprint is:
5b:e6:39:ab:36:a3:0f:98:94:70:54:f0:60:92:b2:61 alice@simms


2) From the client, use the scp program to copy user alice's public
key up to the server. Be sure you know the user alice's password on the
server. Have your partner reset the password for alice if your partner
is not sure.

$ scp .ssh/identity.pub sever:/tmp
The authenticity of host 'gabriel (10.10.1.12)' can't be established.
RSA key fingerprint is 05:0e:2b:f7:25:31:f4:ea:84:d5:6b:5a:88:fa:04:fb.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'gabriel,10.10.1.12' (RSA) to the list of known hosts.
alice@gabriel's password: 
identity.pub         100% |***********************************|   221       00:00

3) On the server, log in as the user bob. Copy the user alice's public key
into the user bob's authorized keys file.

$ mkdir .ssh
$ cp /tmp/identity.pub .ssh/authorized_keys

4) On the client host, change the permissions on the user alice's public key to read only
by alice.

$ chmod 400 .ssh/identity.pub

5) On the client host as the user alice, attempt to connect with ssh to the server
as the user bob. 

$ ssh -l bob server
Enter passphrase for key '/export/home/alice/.ssh/identity': 
Last login: Thu Aug  1 20:31:14 2002 from simms
Sun Microsystems Inc.   SunOS 5.8       Generic Patch   October 2001
Sun Microsystems Inc.   SunOS 5.8       Generic Patch   October 2001
$

Notice that the server IS NOT asking for a password. The server is asking for the RSA
passphrase on the private key on the client host. The authentication is not completely
placed on the user alice's ability to decrypt the client private key on her host.

6) As root on the server, edit the /etc/shadow and make the user bob's account
a non-login account.

# vi /etc/shadow

bob:NP:11901::::::

7) As the user alice on the client, attempt to connect with ssh to the server as the
user bob. Notice, the user alice will still be able to login even though the user bob
does not have a password.

$ ssh -l bob server
Enter passphrase for key '/export/home/alice/.ssh/identity': 
Last login: Thu Aug  1 20:45:03 2002 from simms
Sun Microsystems Inc.   SunOS 5.8       Generic Patch   October 2001
Sun Microsystems Inc.   SunOS 5.8       Generic Patch   October 2001
$ exit