LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   passwordless keybased sftp (https://www.linuxquestions.org/questions/linux-newbie-8/passwordless-keybased-sftp-4175460117/)

vikash.thbs 04-30-2013 02:34 AM

passwordless keybased sftp
 
Hi All,

I am having a requirement where I need to transfer a file from Linux server A to Linux server B using sftp.

sftp should be using key based and passwordless authentication.

Could you please advice me for the steps involved.

eg. 1) how to generate the keys and on which server whether on server A or B?
2) which key should be imported and on which server ? etc


Many thanks for you help....

lekremyelsew 04-30-2013 06:33 AM

The way you set up ssh/sftp depends on which server you want (or already do) have sshd running on. Because sftp can copy files to and from the connected host, you don't need to (but can) run sshd on both Linux servers. We'll start with just one instance of sshd for now. For the sake of this explanation, let's say that you have sshd running on Linux server A and will be running the ssh/sftp command from Linux server B. Note that if you have sshd running on both servers, you can use either server in place of A/B (more on this later). To generate the key, run
Code:

ssh-keygen -t rsa -b 2048 -C 'your_email_address_here@domain.com'
as the user you want to use sftp from on server B. The '-C ...' part is optional, it just helps if you start letting other people connect to the same server, as the same user. Also, feel free to use another encryption type, like '-t ecdsa' and/or change the number of bits in the key like '-b 4096', although the options I provided should be fine.
This will set up ~/.ssh with your newly created keypair inside. 'id_rsa' is your private key (keep it safe, it should be password protected) and 'id_rsa.pub' is your public key. If you look at ~/.ssh/id_rsa.pub, you will notice that the key is on a single line. This line is what you will use to authorize yourself to the sshd server on Linux server A.
Now you must pick which user you want to connect to on Linux server A. Once you do that, append the line from ~/.ssh/id_rsa.pub on Linux server B to the file ~/.ssh/authorized_keys on Linux server A (or just copy the file, if it doesn't already exist). Note that this is the only file that needs to be in ~/.ssh on Linux server A.
Although its not really necessary, it doesn't hurt to run:
Code:

chmod 0600 ~/.ssh/authorized_keys
on Linux server A, just to make things a little more secure.
It's also a good idea to turn off password authentication, if others don't need it, on Linux server A. This will stop hackers form brute force cracking your password. Set
Code:

PasswordAuthentication no
in /etc/ssh/sshd_config (or maybe /etc/sshd_config) on Linux server A. You're probably going to want to restart sshd on Linux server A so that the changes take effect.
After that's all done, you should be ready to connect. To test the setup, run (from Linux server B)
Code:

ssh user_name_on_server_A@host_name_or_ip_address
You should now see something to the effect of
Code:

The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is a6:fd:e1:28:26:25:7a:5c:45:9f:b2:65:41:4b:5a:df.
Are you sure you want to continue connecting (yes/no)?

Note that the encryption type you see here might not be the same as the one you used for your keypair, but that is completely fine. Verify that the fingerprint that your ssh-client is seeing is the same as the one on the sshd server by running
Code:

# files might just be in /etc/ rather than /etc/ssh/
ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key.pub  # for ECDSA
ssh-keygen -lf /etc/ssh/ssh_host_rsa.pub        # for RSA

on Linux server A then checking that the keys are the same. This protects against a man-in-the-middle attack. Note that you should only be prompted like this once, per host (that is, if you select 'yes'), so if you see this again (and you didn't re-install sshd on Linux server A) you might be under a man-in-the-middle attack.
After verifying the fingerprint, you should be able to connect and be all good to go.

After testing if the ssh command works, exit out of ssh, and you should now be able to run
Code:

sftp user_name_on_server_A@host_name_or_ip_address
If this doesn't work, double check usernames, hostnames, and port numbers. You can specify port numbers with -p. You might need to set up port-forwarding on the network that Linux server A is in, if the two servers aren't behind the same network.

If you have sshd running on both machines and you want to be able to connect from B to A, as well as A to B, keep reading.
All you have to do is copy ~/.ssh/id_rsa from Linux server B to server A, and copy ~/.ssh/id_rsa.pub to ~/.ssh/authorized_keys all on Linux server B. Note that you can (but don't need) to copy ~/.ssh/id_rsa.pub from Linux server B to Linux server A. You are going to have the same information already in ~/.ssh/authorized_keys (on Linux server B) if you were ever to need to copy it to somewhere else. You could also copy it over if you're neurotic and just like symmetry, like me :)
Note that you're not limited to using only two users between the two machines. You could set up a special account to connect to with limited permissions on one (or both) machines, to add security. This means that you can make a setup with anywhere from 2-4 users between the two machines, with different accounts to connect to and from on each machine, but this is probably not necessary.
If you are just going to use one account on each computer to do the connecting to and connecting from, you can simplify the key copying process by running
Code:

scp ~/.ssh/id_rsa user_name_on_server_A@host_name_or_ip_address:.ssh/id_rsa
cp ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys

on Linux server B.


All times are GMT -5. The time now is 09:32 PM.