The Problem
Login to a remote machine over SSH without having to type your password in every time.
The Solution
One problem that complicates this a bit is that there are two competing implementations of SSH: OpenSSH, and SSH.com. Some steps will differ depending on which version is running locally and on the machine you are connecting to.
There are two steps to setting up passwordless login:
If you are running different versions on the local and host machines, there will be an additional step of converting the keys. I would also recommend renaming your keys to make them easier to manage. Finally, you may need to explicitly identify your private key to ssh.
Key Generation
- Key generation begins with the same command for both versions of SSH. Run this command from a shell:
$ ssh-keygen -t dsa
The dsa in the previous command indicates that you are generating a key using the DSA algorithm. There are two types of algorithms in common use, DSA and RSA2. Some systems will accept either, but some systems will only accept one. DSA is used in this example, since our machines require DSA. The default filenames and formats for the the generated keys will differ. Two files will be generated, a private key and a public key.Your private key should not leave your system. Your public key will be copied to the machine you intend to ssh to.Default NamesPrivate KeyPublic KeyOpenSSHid_dsaid_dsa.pubSSH.comid_dsa_1024_aid_dsa_1024_a.pub
Key Authorization
OpenSSH
- Copy your public key to the .ssh directory on the remote machine.
- Copy the public key into a file called authorized_keys2.
- Make sure all the files in the directory have user-only read-write permissions (i.e. rw-------)
localhost:~/.ssh/$ scp id_dsa.pub user@remotehost:.ssh/ localhost:~/.ssh/$ ssh user@remotehost user@remotehosts's password: Welcome to remotehost! remotehost:~/$ cd .ssh remotehost:~/.ssh/$ cat id_dsa.pub >> authorized_keys2 remotehost:~/.ssh/$ chmod 600 *
All done!
SSH.com
- Copy your public key to the .ssh2 directory on the remote machine.
- Echo the string "key id_dsa_1024_a.pub" into a file called authorization.
- Make the .ssh2 directory read-write-exec able for the user only (i.e. rwx------)
- Make sure all the files in the .ssh2 directory have user-only read-write permissions (i.e. rw-------)
localhost:~/.ssh2/$ scp id_dsa_1024_a.pub user@remotehost:.ssh2/ localhost:~/.ssh2/$ ssh user@remotehost user@remotehosts's password: Welcome to remotehost! remotehost:~/$ cd .ssh2 remotehost:~/.ssh2/$ echo "key id_dsa_1024_a.pub" >> authorization remotehost:~/.ssh2/$ chmod 700 . remotehost:~/.ssh2/$ chmod 600 *
Converting your Public Key
Unfortunately, OpenSSH and SSH.com use different key formats. This means that if your local machine uses one version of SSH and the remote machine uses another, you will need to convert your key. To help keep track of which key is which, you may wish to name your public keys id_dsa.openssh.pub and id_dsa.sshcom.pub,
OpenSSH to SSH.com
$ ssh-keygen -e -f id_dsa.pub > id_dsa_1024_a.pub $ ls id_dsa.pub id_dsa_1024_a.pub
SSH.com to OpenSSH
$ ssh-keygen -i -f id_dsa_1024_a.pub > id_dsa.pub $ ls id_dsa_1024_a.pub id_dsa.pub
Renaming Keys
An optional but recommended step is to rename your keys to make them easier to manage. If you're working in a homogeneous environment where all machines are running the same flavor of ssh and you only need to login from one machine, this may not be necessary. However, if you deal with both flavors of ssh or if you are logging in to one host from several different machines, this will go a long way towards making your life easier.
Once you've generated your keys, immediately rename your public key to a name that contains:
- the encryption algorithm used (DSA or RSA)
- the hostname of the machine it was generated for
- the flavor of ssh it was generated with
So if you generated a 2048-bit DSA key using openssh on a machine named mercury, you would rename your public key to something like id_dsa.mercury.openssh.pub. If you need an SSH.com version of the same key, you would convert it using the instructions above and rename it to id_dsa.mercury.sshcom.pub.
It's not necessary to rename the private key, since there is probably only one per user per machine, but it can still be helpful to know six months later which flavor of ssh you used to generate it. However, there is one caveat: if you rename your private keys you will have to make sure that OpenSSH and SSH.com know where to find them.
Identifying your private keys
OpenSSH
OpenSSH looks for private keys in one of the following three locations:
- ~/.ssh/identity.pub
- ~/.ssh/id_dsa.pub
- ~/.ssh/id_rsa.pub
If your key is named something different, the easiest way to get things working is to create a symlink (a.k.a. a shortcut in the Windows world) to it.
localhost:~/.ssh/$ ls -l total 80 -rw------- 1 user user 1196 Feb 23 2007 id_dsa.mercury.openssh -rw-r--r-- 1 user user 1141 Feb 23 2007 id_dsa.mercury.openssh.pub -rw-r--r-- 1 user user 1261 Feb 23 2007 id_dsa.mercury.sshcom.pub localhost:~/.ssh/$ ln -s id_dsa.mercury.openssh identity localhost:~/.ssh/$ ls -l total 80 -rw------- 1 user user 1196 Feb 23 2007 id_dsa.mercury.openssh -rw-r--r-- 1 user user 1141 Feb 23 2007 id_dsa.mercury.openssh.pub -rw-r--r-- 1 user user 1261 Feb 23 2007 id_dsa.mercury.sshcom.pub lrwxr-xr-x 1 user user 6 Mar 18 12:08 identity -> id_dsa.mercury.openssh
Now ssh will look in the directory, find a file called identity and read it.
SSH.com
SSH.com does it differently, looking in a file called identification to find the name of the private key.
localhost:~/.ssh2/$ ls -l total 80 -rw-r--r-- 1 user user 1141 Feb 23 2007 id_dsa.mercury.openssh.pub -rw------- 1 user user 1196 Feb 23 2007 id_dsa.mercury.sshcom -rw-r--r-- 1 user user 1261 Feb 23 2007 id_dsa.mercury.sshcom.pub localhost:~/.ssh2/$ echo "IdKey id_dsa.mercury.sshcom" > identification localhost:~/.ssh2/$ ls -al total 80 -rw-r--r-- 1 user user 1141 Feb 23 2007 id_dsa.mercury.openssh.pub -rw------- 1 user user 1196 Feb 23 2007 id_dsa.mercury.sshcom -rw-r--r-- 1 user user 1261 Feb 23 2007 id_dsa.mercury.sshcom.pub -rw-r--r-- 1 user user 28 Mar 18 12:08 identification localhost:~/.ssh2/$ cat identification IdKey id_dsa.mercury.sshcom
No comments:
Post a Comment