Creating an OpenSSH keypair
In your shell, create an ssh dsa private/public keypair:
bash% ssh-keygen -t dsa

Follow the prompts and enter a password. The new keypair will be stored in as .ssh/id_dsa and .ssh/id_dsa.pub . Keep the private key safe - it's only the public key that needs to go on servers.

(If you hadn't figured it out, the private key from the above example is id_dsa - the public key is id_dsa.pub.)

If you use the commercial SSH client on Windows at home you need to generate a keypair for that machine too, as the SSH.com and OpenSSH encodings are not compatible with each other.

Burning the keypair onto a mini-CD
Purchase a blank CD-R or CD-RW. There are keen little mini-CDs that are perfect for this business.

My CD contains the following files:

• id_dsa - My OpenSSH private key
• id_dsa.pub - My OpenSSH public key
• win_dsa - My SSH.com private key
• win_dsa.pub - My SSH.com public key
• authorized_keys - Both public keys in one file with the SSH.com public key converted to OpenSSH format.

Login scripts
There are a number of different methods to enable your SSH key on Linux. Below is my method for SSH keys on CD.

Edit the /etc/fstab line for your CD reader so that the options contain noauto,user,norock,mode=0600. This will cause any CDs to be mountable by any user, and only readable by that user. We do this because SSH wants the private key to be unreadable by anyone other than its owner.

Now we just need a script to mount and read in the private key. Create a file - I call mine 'sshkey'. Copy these lines into this new file:

#! /bin/bash
/bin/mount /media/cdrom
CDYES=`ls -l /media/cdrom/ 2>/dev/null |grep total |cut --delimiter=" " -f 2`
if [[ ("$CDYES" -gt "0")  &&  (-n "$CDYES") ]] ; then
        /usr/bin/ssh-add /media/cdrom/id_dsa
        /bin/umount /media/cdrom
        /bin/eject
else
        echo "No CD in drive."
        /bin/umount /media/cdrom
fi

You may need to change the mount point (/media/cdrom) if your system calls it something else. Make the script executable (chmod +x). Now when you run this script with your SSH CD in the drive you should be prompted for your passphrase. In most recent Linuxes (this is true of Red Hat and SuSE, at least) your SSH key will be active for the rest of your login session.

If you want to the script to automatically run on startup, both KDE and Gnome can be configured to do this. In KDE, simply put the script into ~/.kde/Autostart. In Gnome, you can use the GUI to set it up (Gnome Control Center / Sessions / Startup Programs tab).

Putting public key on servers
By default OpenSSH looks for .ssh/authorized_keys which should contain the lines from the public key. It can contain several public keys one after another. What file is looked for can be modified in /etc/ssh/sshd_config . Make sure the following two lines are set:

PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

Also allow the ssh agent to forward keys to other servers - this will allow you to go from machine to machine rather than having to log in from one machine only. This is allowed in /etc/ssh/ssh_config :

If there is already a 'Host *' line just add the ForwardAgent line below it.

You can set up your authorized_keys file in any number of ways - either by copying id_dsa.pub to your homedirectory and renaming it, or appending it to the end of an already-existing authorized_keys file.