How To Configure SSH Key-Based Authentication on FreeBSD for Mac OS X and Panic’s Transmit FTP Client

This is a guide for setting up an Apple Mac OS X workstation with SSH key-based authentication to a remote FreeBSD server. I won’t go into any detail about these protocols or try to make a case for using them. If you’re reading this, you probably already have a basic grounding on SSH, SFTP and the implications of SSH key-based authentication. My goal is to outline the steps needed so you can start using key-based authentication on your Mac.

I. Intended audience

The instructions here are aimed at Mac OS X based web developers with at least a moderate level of systems administration knowledge. Most likely you host websites for your clients or employer on *nix servers controlled through a command line interface. You generally work on multiple servers per project. Repeatedly entering secure long random passwords is becoming a hassle. If this sounds familiar, this guide is for you.

I’m on a Mac OS X workstation, currently Yosemite, using the Mac Terminal App to connect via SSH and Panic’s Transmit FTP client to transfer files. The server instructions here are for FreeBSD but you should still find the information useful if you run a Linux-based web server. I expect that you’re familiar with your own environment and have a preferred way of doing things so won’t list every command needed.

The prerequisites for this guide are that you:

  1. already have your server set up to SSH and SFTP with password authentication;
  2. have an account on the server that you use for day-to-day web development;
  3. also have root access to the server.

II. Setting up your Mac workstation and server for SSH Key-Based Authentication

We’ll need to do two main things to get everything working:

  1. Set up your server to accept the key files instead of a password.
  2. Configure your Mac OS X workstation to use SSH key files.

We’ll be moving back-and-forth between the them so for clarity, open up two terminal windows: one will be used for configuring the server, which I’ll refer to as your server terminal and another for configuring your Mac workstation, which I’ll call the Mac terminal.

A. Configure the server

First make sure your server is configured to accept key-based authentication. On the server terminal, open a secure shell to the server as you normally would. Edit the configuration file for your OpenSSH Daemon at /etc/ssh/sshd_config.

Look for the following lines and uncomment or add them:

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
ChallengeResponseAuthentication no

You may need to return to this file later but for now, save it and restart sshd. On FreeBSD, it’s the command:

# /etc/rc.d/sshd reload

B. Generate the key files on your Mac

Now you need to generate your private and public SSH key files. The private key file will remain on your Mac and you’ll place a copy of the public key file on the server. To generate the key files, switch to your Mac terminal and run:

$ ssh-keygen -t rsa

The -t flag specifies that you’re creating an RSA key.

You’ll be asked to enter a file name for the key. The default for key files on Mac OS X is /Users/username/.ssh/id_rsa.pub. While you can simply select the default, it might be a good idea to create a key file specifically for each project. That way, if your Mac workstation is ever compromised, you minimise the risk of access to servers used for past projects where your account has been inadvertently left active.

ssh-keygen will also ask if you want to set a password for the key. If you set a password, you’ll have to enter it every time you try to authenticate with the key file. 1

The result should be two new key files in your .ssh directory:

  • The public key: /Users/username/.ssh/yourkeyfile_rsa.pub
  • The private key: /Users/username/.ssh/yourkeyfile_rsa

If you use a service like GitHub you may also see your GitHub key files already in that directory.

C. Copy the public key to the server

Transfer your public key to the .ssh directory of the server account you use to do your day-to-day web development. There are two ways to do this on a standard-install Mac OS X workstation. You can follow these steps:

  1. Go to the server terminal and cd into the account’s home directory.
  2. Create a .ssh directory (~/.ssh/).
  3. Switch back to the Mac’s terminal and copy the public key text using the command:
    $ pbcopy < ~/.ssh/yourkeyfile_rsa.pub
  4. Move back to the server terminal and create an authorized_keys file within the .ssh directory.
  5. Paste the public key text into your authorized_keys file. (Remember that the pbpaste command won’t work on a non-Mac operating system.)

Alternatively, you can run the following command on your Mac’s terminal:

cat ~/.ssh/yourkeyfile_rsa.pub | ssh [email protected]_host “mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys”

However it’s done, you should end up with a file ~/.ssh/authorized_keys for the developer account on the server.

It’s worth making this clear so there’s no confusion: you are giving the public key, yourkeyfile_rsa.pub, to the developer account that you’d previously been using to connect using a password. You should not be giving it to the root account. Make sure you put the authorized_keys file in the developer account’s home folder. Also make sure you don’t accidentally copy and paste the private key, yourkeyfile_rsa.

D. Test authentication to the remote server over SSH

Make sure everything worked by checking if you can connect to the server without having to supply a password. Log out of your existing connection on the server terminal and try connecting again:

ssh -i ~/.ssh/yourkeyfile_rsa [email protected]

The -i flag should be the path to the private key file we generated in step B. Also, if you set a key password, you will be asked to supply it before you can access the key.

You should see your server motd and terminal prompt after pressing enter.

E. Optional: disable password authentication

Since you’ve gone to the trouble of setting up SSH key-based authentication, you may want to disable password authentication after you’ve successfully testing the connection. Uncomment or add the following lines in /etc/ssh/sshd_config:

PasswordAuthentication no

Finally, restart sshd:

# /etc/rc.d/sshd reload

Make absolutely sure that everything works before disabling password authentication, otherwise you may find yourself without any way to remotely connect to your server.2 Unscheduled trips to the data centre are no fun. (Can you tell I’m writing from experience?)

F. Optional: use a ssh config file

An option to save yourself some typing is to put the server and key details into an ssh config file. On your Mac terminal, create a config file at /Users/username/.ssh/config with the following:

Host serveralias
    HostName host
    User your_username
    PubKeyAuthentication yes
    IdentityFile ~/.ssh/yourkeyfile_rsa

This will let you login just by typing:

ssh serveralias

III. Setting up the Transmit FTP client for SSH Key-Based Authentication

After configuring SSH key-based authentication on your server, the SFTP service will start rejecting your login attempts unless you supply your key. Setting up Panic’s Transmit FTP client with key-based authentication is simple but it can be a little buggy.

  1. In Transmit, delete your old connection details and add new connection settings 3
  2. Leave the password blank
  3. Either:
    • From the menu, select Favourites > Import SSH Key File
    • Or click the key picker, which is the key icon to the right of the password box
  4. Import your private key file yourkeyfile_rsa

Connect with these new settings and the SFTP server will grant you access.

Panic Transmit FTP client ssh key picker
Panic Transmit FTP client ssh key picker

If you try this process with a password-encrypted key, Transmit will give you the error: “The file is not in a supported format.” This is a bug and you’ll have to apply a workaround. Panic’s customer support sent me the following instructions:

If the private key is passphrase encrypted (as yours is), or if it lives in a directory other than ~/.ssh/, there are a few extra steps needed to get up and running.

Instead of using the key picker, edit your ~/.ssh/config file and add the following:

Host yourserver.com
IdentityFile /Users/yourusername/.ssh/id_rsa

Then set the site’s Password field to your key’s passphrase and try connecting.

Alternatively, you can try this method:

  1. First, add the keyfile and password to your keychain:
    ssh-add -K path/to/.ssh/yourkeyfile_rsa
  2. Now add the connection details to Transmit but do not enter the password or set a key file.
  3. Transmit will connect using the credentials in you keychain

In addition to being able to conveniently log in to your various servers, you will now also be able to use Transmit for your regular web development file transfers.

IV. Notes

  1. It’s tempting to think that setting a password for your key negates the whole point of this exercise. After all, if you have to enter a password to authenticate with the key file, you might as well keep the existing model of password authentication to the server, right? Not quite and here’s why: the ssh key is a cryptographically secure way of authenticating to your server and is exactly what you want for something accessible to the open internet. While manually typing in the key itself every time you want to open a connection isn’t practical, SSH key-based authentication handles key exchange automatically.

    The key password protects against a different threat. It prevents unauthorised use of the key itself. This has a lower threat profile because it’s stored on your own private workstation. It therefore can be something that’s easier to remember and type.

  2. Remember to backup your keys and store the backups in a secure location. If you lose your keys and have also disabled password authentication, you won’t be able to access the server without physical access or help from your hosting technical support.

  3. I’ve found that editing a saved connection sometimes doesn’t work. This might be a bug in Transmit. Deleting the old connection and creating a new one seems to always work.

How to upload a file to your server

Introduction

These instructions relate to your public website. It will show you how to upload a file to your server. Your site is controlled by a content management system (CMS) and there are several ways to achieve the same result. Here I will show you one method, but if you find it to be unwieldy, please let us know as we can suggest alternatives.

Prerequisites

You will need the following in order to upload your file:

  1. File transfer software, also known as an ‘FTP client’.
  2. Your username and passwords to login to the server. For security, I’ve sent your username and password separately. (These credentials are not the same as those used to login to the CMS and edit your site pages.)
  3. The file you’d like to upload (of course!). You can upload any file type but to make things easier for yourself, I suggest you follow the guidelines below.

Uploading a file

  1. Open your FTP client and in the connection screen, use the following settings.
    • Host or Server
    • Username
    • Password
    • Path: you may leave this blank
    • Protocol: Use FTP or SFTP
    • Port: Most clients will fill this in for you. If it doesn’t, enter port 21 if connecting through FTP, or enter port 22 if connecting through SFTP.
  2. Click the ‘Connect’ button. Once the software has connected, it should display the files currently on the server.
  3. The files on the server are organised in a hierarchy similar to your own computer. If you did not enter a path in step one, you will be placed on the uppermost level so you’ll need to navigate to your ‘files’ directory. If you don’t know where this is, please contact the project manager or developer who worked on your site.
  4. Drag your file into the window showing the server files. (Some programs also have a section displaying your local computer files so make sure you drag it into the server window.)
  5. Wait for the file to finish uploading, then click ‘Disconnect’.

Please take care when manipulating files on the server. Deleting files here will cause content to permanently disappear from your website.

Notes

About the Protocol

The protocol is the method used by the software and server to communicate.

FTP is widely supported by file transfer programs but it’s not secure. Malicious people on your network can easily intercept your password and files when connecting through FTP.

SFTP is the secure version of FTP because it encrypts the password and files. Use SFTP if your software supports it.

File Guidelines

Following these guidelines will help reduce problems when creating your link.

  1. Try to keep the file size small. Anything up to a few megabytes (MB) is acceptable on modern internet connection speeds. If you’re pushing 25 MB or more, your visitors might not like the wait.
  2. Place the file in an easy-to-find location, such as your desktop.
  3. Use only alphanumeric characters in the filename and make sure there are no spaces. If you like, you can also use dashes ( – ) or underscores ( _ ). Unless you’re quite proficient with creating web pages, using any other characters may give you problems when creating a link to the file.

    The following examples are OK:

    • my-file-1.doc
    • MyFile.doc
    • myfile1.pdf
    • document_2.txt

    These may give you trouble when creating the link:

    • Jane’s document.pdf
    • John’s file 1.doc
    • mydocument (with hidden file extension)
    • SoldFor$10.doc

File transfer software

There are many FTP client vendors and some can be downloaded from the internet at no cost. Below are a few suggestions but an internet search for ‘FTP client’ will show more.

For Microsoft Windows

  • http://filezilla-project.org
  • http://www.smartftp.com
  • http://winscp.net

For Mac OS X

  • http://filezilla-project.org
  • http://www.panic.com/transmit/
  • http://cyberduck.ch