Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
By david_ross at 2003-12-05 14:35
|
TITLE: Public key authentication with ssh
Introduction
This LinuxAnswer describes how to set up public key authentication with ssh{1}.
It will include all sub components like scp too.
I will refer to the client machine{2} as the "client" and the server machine{3} as "server"
Assumptions
1) You know how to open up a terminal and type a few basic commands.
2) You have a working ssh server and client installed. If not then see:
ftp://ftp.ca.openbsd.org/pub/OpenBSD...rtable/INSTALL
Why would you want to?
There are many reasons so I'll just list a few:
1) You don't need to type your password each time you want to login to a remote system. This can protect against malicious applications such as keyloggers
2) You can run automated maintenance tasks/checks on other machines.
3) You can run secure backups over ssh using rsync. See LinuxAnswer Using rsync to mirror data between servers
The real howto
1) Create the private{4} and public{5} keys:
ssh-keygen -t dsa
You will be prompted for a key location, the default is fine so just press enter.
Then you are asked to enter a passphrase. From man ssh-keygen:
Quote:
The program also asks for a passphrase. The passphrase may be empty to indicate no passphrase (host keys must have an empty passphrase), or it may be a string of arbitrary length. A passphrase is similar to a password, except it can be a phrase with a series of words, punctuation, numbers, whitespace, or any string of characters you want. Good passphrases are 10-30 characters long, are not simple sentences or otherwise easily guessable (English prose has only 1-2 bits of entropy per character, and provides very bad passphrases), and contain a mix of upper and lowercase letters, numbers, and non alphanumeric characters.
|
If you are intending to set up automated tasks that will use this key it is probably best not to supply a passphrase although it will inevitably be less secure{6}.
2) Copy the public key to the server (you will need to enter the password):
cat ~/.ssh/id_dsa.pub | ssh user@server "cat - >> ~/.ssh/authorized_keys"
3) That's it, to test it just ssh to the other server and you shouldn't need a password. If you entered a passphrase then you need will need to enter it when prompted:
ssh user@server
If it doesn't work then please look at the troubleshooting section below.
Answers to most questions should be there.
If you still have problems then search the LQ forums and if you still have a problem start a new thread.
Using ssh-agent to store passphrases
If you decided to use a passphrase then you need only enter it once per session using ssh-agent and ssh-add.
1) The parent shell process in which you work should be started by ssh-agent - ie:
ssh-agent /bin/bash
2) Then to store your passphrase for that session run:
ssh-add
Enter your passphrase when prompted
3) Thats it, to test it just ssh to the other server and you shouldn't need a password or passphrase:
ssh user@server
If you use a desktop environment or window manager you can start it in the same way as a the bash shell was above with ssh-agent so that any child processes (terminals etc) also have access to your passphrase.
Troubleshooting
If you get a connection refused message
You probably have a server problem, check sshd is running "netstat -nlp" and there is no firewall rule in place blocking port 22 "iptables -nL".
You still get prompted for a password
Try to ssh to the server with verbose output:
ssh -vv user@server
If you get a line like this, not containing "publickey":
debug1: Authentications that can continue: password,keyboard-interactive
Then check sshd_config on the server and remove the line "PubkeyAuthentication no" if it exists then restart sshd.
If you don't get a line like:
debug1: try pubkey: /home/rossy/.ssh/id_dsa
Then check "ssh_config" on the client and if it exists, remove "PubkeyAuthentication no" if it exists.
If you still don't see that line then make sure that "~/.ssh/id_dsa" exists on the client.
If you get a line like:
debug2: we sent a publickey packet, wait for reply
Check that "~/.ssh/authorized_keys" exists on the server and contains a line the same as "~/.ssh/id_dsa.pub" on the client.
A small bit about the jargon
{1} ssh stands for Secure SHell on a basic level it is like telnet but has many other differences the main one being encryption.
{2} Client the client is the machine that initiates the connection.
{3} Server the server is the machine that listens for incoming connections.
{4} Private keys are stored on the client.
{5} Public keys are stored on the server.
{6} Less secure if the client is compromised so is access to the server
|
|
|
All times are GMT -5. The time now is 05:30 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|
I can ssh without a password from slackware to debian, but I cannot do it from debian to slackware.
B ssh login to A, secure connection refused.
By allowing/enabling port 22, what else could be blocking the SSH login?
from fedora to debian i can login without a password, but from debian to fedora it ask for pasrword... my ssh --v host ist the same as the one posted here...
thanks
leg
I have posted twice the same issue, the thread is continued from here:
http://www.linuxquestions.org/questi...threadid=51930
now it works...
what is the difference between rsa and dsa? is dsa more secure?
thankx a lot for the discussion,
leg
jason
I had the same problem trying to get mine to work. I did a chmod on the server: <chmod 600 authorized_keys>
and then it started working. no password required!
hope this helps.
P.S. This was a debian to debian connection following the steps outlined in the guide.