LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 10-29-2012, 10:36 PM   #1
shivaa
Senior Member
 
Registered: Jul 2012
Location: Grenoble, Fr.
Distribution: Sun Solaris, RHEL, Ubuntu, Debian 6.0
Posts: 1,797
Blog Entries: 4

Rep: Reputation: 285Reputation: 285Reputation: 285
Difference between .ssh/known_hosts and .ssh/authorized_keys


Hello everyone!
I am trying to access a server "saturn" from my machine "mars", using ssh protocol. Infact, I am running a script from saturn on mars, and script contain a line:
ssh root@mars.org.com
To enable a password-less login for root on mars from saturn, I generated my rsa keys on saturn and now want to append that in /.ssh/authorized_keys file on mars. But there's no such file existing.
But there (on mars) exists a file named known_hosts, which I am not sure how works!
What's difference between authorized_keys and known_hosts files? How to use known_hosts if there's no authorized_keys exists?
Thanks in advance!

Last edited by shivaa; 10-29-2012 at 10:37 PM.
 
Old 10-29-2012, 11:05 PM   #2
cbtshare
Member
 
Registered: Jul 2009
Posts: 566

Rep: Reputation: 42
you need to generate the keys then http://www.laubenheimer.net/ssh-keys.shtml

then
Quote:
]$ cd .ssh
]$ touch authorized_keys
]$ chmod 600 authorized_keys
then add the remote machine public key to the file

Last edited by cbtshare; 10-29-2012 at 11:07 PM.
 
Old 10-30-2012, 01:28 AM   #3
shivaa
Senior Member
 
Registered: Jul 2012
Location: Grenoble, Fr.
Distribution: Sun Solaris, RHEL, Ubuntu, Debian 6.0
Posts: 1,797
Blog Entries: 4

Original Poster
Rep: Reputation: 285Reputation: 285Reputation: 285
Thanks for your reply. Although I am aware about the process to add keys to authorized_keys file, but the question is, what "known_hosts" file doing there? As I can see some encypted keys inside that known_hosts file, and I think those keys belong to different hosts who connect on "saturn" without a password.
So is there any difference of appending ssh keys into authorized_keys and known_hosts? What difference does it make? Will adding ssh keys to known_hosts work same as authorized_keys do? Please explain anybody. Thanks a lot.

Last edited by shivaa; 10-30-2012 at 01:29 AM.
 
Old 10-30-2012, 01:46 AM   #4
cbtshare
Member
 
Registered: Jul 2009
Posts: 566

Rep: Reputation: 42
Quote:
Originally Posted by shivaa View Post
Thanks for your reply. Although I am aware about the process to add keys to authorized_keys file, but the question is, what "known_hosts" file doing there? As I can see some encypted keys inside that known_hosts file, and I think those keys belong to different hosts who connect on "saturn" without a password.
So is there any difference of appending ssh keys into authorized_keys and known_hosts? What difference does it make? Will adding ssh keys to known_hosts work same as authorized_keys do? Please explain anybody. Thanks a lot.
/.ssh/known_hosts file is a local user database. This is used for
server authentication.The client checks this file for the remote machine's entry to
authenticate the server as a host that has connected to the server before.so to answer your question, no, you don't add, keys to the known host file, just to authorized_keys file, it will make a difference.The difference is makes is ssh via keys wont work lol.

Last edited by cbtshare; 10-30-2012 at 01:51 AM.
 
1 members found this post helpful.
Old 10-30-2012, 01:52 AM   #5
descendant_command
Member
 
Registered: Mar 2012
Posts: 796

Rep: Reputation: 180Reputation: 180
It stores the fingerprint of the servers you connect to, from that client machine.
So if you connect to a server you have previously visited and the fingerprint is different, you get warned that it could be a different machine or the ssh server has been altered and may not be "trustworthy" any more.
 
Old 10-30-2012, 06:39 AM   #6
shivaa
Senior Member
 
Registered: Jul 2012
Location: Grenoble, Fr.
Distribution: Sun Solaris, RHEL, Ubuntu, Debian 6.0
Posts: 1,797
Blog Entries: 4

Original Poster
Rep: Reputation: 285Reputation: 285Reputation: 285
Alright! The exact situation is, many other user's are also run their scripts from their local systems on the remote server i.e. saturn, & they also connect to the server through ssh password-less login. So if there's no authorized_keys file existing then how others are using ssh over there & connecting to that server without supplying a password? I think they are somewhere using known_hosts file... ain't they? However, I just want to understand what other's are doing, so it would make my work little easy rather than creating a authorized_keys file.
 
Old 10-30-2012, 11:34 AM   #7
wpeckham
Member
 
Registered: Apr 2010
Location: USA
Distribution: Debian, Ubuntu, Fedora, RedHat, DSL, Puppy, CentOS, Knoppix
Posts: 775

Rep: Reputation: 173Reputation: 173
What you really need...

If the earlier explanation did not do it for you....

The user can manipulate the authorized_keys file to set up authentication by keys. The known_hosts file is NOT for the user to administrate, the application populates it for you. The only time you need to access it might be to remove a record when teh signature of a host has changed.

For authorized_keys you can add records, never remove records except to dis-allow a connection. For known_hosts you never add a record directly, and only remote one to enable a changed connection.

IF you need more detail than that, I suggest you search out and read the OpenSSH documentation.

BTW: I prefer to test access with password first, then use ssh-copy-id to populate the remote authorized_keys file with proper permissions etc in a single step.
 
1 members found this post helpful.
Old 10-30-2012, 12:54 PM   #8
shivaa
Senior Member
 
Registered: Jul 2012
Location: Grenoble, Fr.
Distribution: Sun Solaris, RHEL, Ubuntu, Debian 6.0
Posts: 1,797
Blog Entries: 4

Original Poster
Rep: Reputation: 285Reputation: 285Reputation: 285
Well, I've got something interesting over Internet. There're two types of authentication:-
1. Key pairs and host-based authentication:- A method a discussed above. Generate rsa keys & add it to authorized_keys...
2. Host-Based authentication:- In trusted-host authentication, the SSH server does not directly authenticate a user based on something he knows or has (e.g. password or private key). Rather, it authenticates the client host, and then trusts that host to say who the user is (i.e., which client-side account he has already been authenticated to use). It then consults server-side configuration to determine which account names on the client host are allowed access to which server accounts. ~/.ssh/known_hosts files contain host public keys for all known hosts.
I think it would be better to go with authorized_keys, rather than any host based authentication.
I will make a try & let you know in case of any pb.
Thanks everyone for your responses!

Last edited by shivaa; 10-30-2012 at 12:56 PM.
 
  


Reply

Tags
authorized_keys, ssh, ssh access using key


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Gobal ssh:known_hosts and DNS CNAMEs brianmcgee Linux - Security 1 01-18-2011 03:17 AM
SSH host keys are not being read correctly from .ssh/known_hosts. bartonski Linux - Software 3 10-29-2009 04:40 PM
Problem with ssh and authorized_keys... gruell Linux - Security 5 02-01-2006 03:40 PM
ssh known_hosts question lthaus Linux - Security 1 12-08-2004 09:07 PM
ssh users and authorized_keys ifm Linux - Security 3 06-12-2002 08:24 PM


All times are GMT -5. The time now is 03:27 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration