My home server runs FreeBSD 7.0. I administer it from my Windows XP laptop, in the air-conditioned comfort of my home office, over wi-fi. The server runs OpenSSH. The laptop runs PuTTY. I wanted the added security of using SSH key files instead of password authentication. Google and the helpful bunch at the PC-BSD Forum hooked me up in no time. Below is a FreeBSD-specific documentation of the process.

There are two encrypted key files. One is public and resides on the server. The other is private and is saved on the laptop's hard drive. On the server, from the command prompt of your user account you type

> ssh-keygen -t dsa

This will generate two DSA-encrypted key files, one called id_dsa and the other id_dsa.pub. The process is interactive. You can choose where to save them and whether you want to associate them with a passphrase (click Enter twice for the default directory /usr/home/user/.ssh and no passphrase).

OpenSSH, which I installed following the instructions in this book, has a configuration file that on a FreeBSD system goes by /etc/ssh/sshd_config. On a Linux machine it might be saved somewhere equally logical, but different. Anyway, that configuration file, by default, expects the file id_dsa.pub to be a line in the file /usr/home/user/.ssh/authorized_keys. So, the first time you set this up, just do this:

> cd /usr/home/user/.ssh
> mv id_dsa.pub authorized_keys

You may have another computer you would like to log into the server from, but don't want to use the same private key. You can repeat this ssh-keygen process and append the new id_dsa.pub file to the existing authorized_keys file like so

> cat authorized_keys id_dsa.pub > authorized_keys

The order matters. With authorized_keys first in the cat queue, all of its content will be preserved and that of id_dsa.pub will be appended to it, as it should be. If you reversed the order, id_dsa.pub would be written on top of the beginning of authorized_keys. You don't want that.

Now that you have id_dsa.pub copied into authorized_keys file, you turn to id_dsa. This file needs to be on the client computer. You definitely don't want to e-mail it. You can save it to a USB stick and take it there or you can transfer it securely with pscp.exe, but explaining the workings of that would take another post. Anyway, once you got your id_dsa saved on the Win XP client computer you're still not done.

PuTTY cannot read OpenSSH key files directly. You must download puttygen.exe and have it translate id_dsa to id_dsa.ppk. The complete instructions for doing that are here. You will notice that they were originally written for running OpenSSH on a Linux server. They worked for me.

The best way to test your setup is to go back to /etc/ssh/sshd_config, set

PasswordAuthentication no

and save over. Then, as super-user, do

#/etc/rc.d/sshd restart

and try to connect via PuTTY. If your key file is recognized and you didn't set a passphrase you will be let right in, without being prompted for any password. Your connection is both secure and convenient.