LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 04-30-2013, 03:34 AM   #1
vikash.thbs
LQ Newbie
 
Registered: Dec 2011
Posts: 4

Rep: Reputation: Disabled
passwordless keybased sftp


Hi All,

I am having a requirement where I need to transfer a file from Linux server A to Linux server B using sftp.

sftp should be using key based and passwordless authentication.

Could you please advice me for the steps involved.

eg. 1) how to generate the keys and on which server whether on server A or B?
2) which key should be imported and on which server ? etc


Many thanks for you help....
 
Old 04-30-2013, 07:33 AM   #2
lekremyelsew
LQ Newbie
 
Registered: Sep 2006
Location: Littleton, Colorado USA
Distribution: Arch Linux
Posts: 29

Rep: Reputation: 16
The way you set up ssh/sftp depends on which server you want (or already do) have sshd running on. Because sftp can copy files to and from the connected host, you don't need to (but can) run sshd on both Linux servers. We'll start with just one instance of sshd for now. For the sake of this explanation, let's say that you have sshd running on Linux server A and will be running the ssh/sftp command from Linux server B. Note that if you have sshd running on both servers, you can use either server in place of A/B (more on this later). To generate the key, run
Code:
ssh-keygen -t rsa -b 2048 -C 'your_email_address_here@domain.com'
as the user you want to use sftp from on server B. The '-C ...' part is optional, it just helps if you start letting other people connect to the same server, as the same user. Also, feel free to use another encryption type, like '-t ecdsa' and/or change the number of bits in the key like '-b 4096', although the options I provided should be fine.
This will set up ~/.ssh with your newly created keypair inside. 'id_rsa' is your private key (keep it safe, it should be password protected) and 'id_rsa.pub' is your public key. If you look at ~/.ssh/id_rsa.pub, you will notice that the key is on a single line. This line is what you will use to authorize yourself to the sshd server on Linux server A.
Now you must pick which user you want to connect to on Linux server A. Once you do that, append the line from ~/.ssh/id_rsa.pub on Linux server B to the file ~/.ssh/authorized_keys on Linux server A (or just copy the file, if it doesn't already exist). Note that this is the only file that needs to be in ~/.ssh on Linux server A.
Although its not really necessary, it doesn't hurt to run:
Code:
chmod 0600 ~/.ssh/authorized_keys
on Linux server A, just to make things a little more secure.
It's also a good idea to turn off password authentication, if others don't need it, on Linux server A. This will stop hackers form brute force cracking your password. Set
Code:
PasswordAuthentication no
in /etc/ssh/sshd_config (or maybe /etc/sshd_config) on Linux server A. You're probably going to want to restart sshd on Linux server A so that the changes take effect.
After that's all done, you should be ready to connect. To test the setup, run (from Linux server B)
Code:
ssh user_name_on_server_A@host_name_or_ip_address
You should now see something to the effect of
Code:
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is a6:fd:e1:28:26:25:7a:5c:45:9f:b2:65:41:4b:5a:df.
Are you sure you want to continue connecting (yes/no)?
Note that the encryption type you see here might not be the same as the one you used for your keypair, but that is completely fine. Verify that the fingerprint that your ssh-client is seeing is the same as the one on the sshd server by running
Code:
# files might just be in /etc/ rather than /etc/ssh/
ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key.pub  # for ECDSA
ssh-keygen -lf /etc/ssh/ssh_host_rsa.pub        # for RSA
on Linux server A then checking that the keys are the same. This protects against a man-in-the-middle attack. Note that you should only be prompted like this once, per host (that is, if you select 'yes'), so if you see this again (and you didn't re-install sshd on Linux server A) you might be under a man-in-the-middle attack.
After verifying the fingerprint, you should be able to connect and be all good to go.

After testing if the ssh command works, exit out of ssh, and you should now be able to run
Code:
sftp user_name_on_server_A@host_name_or_ip_address
If this doesn't work, double check usernames, hostnames, and port numbers. You can specify port numbers with -p. You might need to set up port-forwarding on the network that Linux server A is in, if the two servers aren't behind the same network.

If you have sshd running on both machines and you want to be able to connect from B to A, as well as A to B, keep reading.
All you have to do is copy ~/.ssh/id_rsa from Linux server B to server A, and copy ~/.ssh/id_rsa.pub to ~/.ssh/authorized_keys all on Linux server B. Note that you can (but don't need) to copy ~/.ssh/id_rsa.pub from Linux server B to Linux server A. You are going to have the same information already in ~/.ssh/authorized_keys (on Linux server B) if you were ever to need to copy it to somewhere else. You could also copy it over if you're neurotic and just like symmetry, like me
Note that you're not limited to using only two users between the two machines. You could set up a special account to connect to with limited permissions on one (or both) machines, to add security. This means that you can make a setup with anywhere from 2-4 users between the two machines, with different accounts to connect to and from on each machine, but this is probably not necessary.
If you are just going to use one account on each computer to do the connecting to and connecting from, you can simplify the key copying process by running
Code:
scp ~/.ssh/id_rsa user_name_on_server_A@host_name_or_ip_address:.ssh/id_rsa
cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
on Linux server B.

Last edited by lekremyelsew; 04-30-2013 at 07:58 AM. Reason: Typos and clarifications
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
keybased authentication for non root user. parkarnoor Linux - Newbie 8 08-21-2012 03:04 AM
Passwordless sftp in shell script pavan06 Linux - Newbie 5 09-06-2011 09:06 PM
Passwordless SFTP between Unix box and Windows dev_d Linux - Networking 3 03-31-2010 08:08 AM
SSH Keybased authentication for "root" user on linux. adastane Linux - Networking 2 12-13-2007 04:57 AM
Passwordless sftp to many remote hosts ahmad_abdulghany Linux - Networking 7 04-04-2007 07:18 PM


All times are GMT -5. The time now is 08:10 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration