Re: Passwordless SSH setup
On Wed, Jun 02, 2004 at 01:02:08AM -0500, Will Trillich wrote:
> for passwordless SSH-ing, try this (and feel free to augment or
> correct if i overlook something)--
>
> localbox$ ssh-keygen -t dsa
>
> after some q&a (just answer with blanks, for passwordless
> connections) this creates a ~/.ssh/id_dsa.pub file that you can
> append to your remote systems' ~/.ssh/authorized_keys files:
>
> localbox$ scp ~/.ssh/id_dsa.pub me@remotebox:~/.ssh/localboxKey
> localbox$ ssh me@remotebox
> <password>
> remotebox$ cd ~/.ssh
> remotebox$ cat localboxKey >> authorized_keys
> remotebox$ chmod 600 authorized_keys
> remotebox$ rm localboxKey
> remotebox$ logout
> localbox$
For password-less keys I think they should be single use only.
My original question was about doing this to a machine running SSH
Corp's version. Unfortunately, that machine has SSH Secure Shell 3.2.3
on it -- and in that version the manual pages were not updated to
explain how to create a single use key. I emailed their tech support
and they sent me to
http://www.ssh.com/documents/32/ssh2_40.html
which explains the options.
And in case anyone finds this in the archive, on SSH Secure Shell you
need to convert the keys. So on Debian, create a keypair called "rsync"
and "rsync.pub"
$ ssh-keygen -t dsa -f rsync
Then convert and copy to the other machine:
$ ssh-keygen -e -f rsync.pub | ssh <remotehost> 'cat - > .ssh2/rsync.pub'
and in your .ssh/config file add something like this to use this
single-use key (needed because if you already have a key for the remote
host managed by ssh-agent then it will be used instead):
Host rsync
User foo
HostName remote.host.name
IdentitiesOnly yes
IdentityFile ~/.ssh/rsync
which says to use only the identity (key) file(s) listed in the config file.
man ssh_config(5)
Then, on the remote host in .ssh/authorization set the "rsync.pub" key
for running a single command:
key rsync.pub
Options command="rsync --server --daemon --config=rsync.conf ."
And setup rsync.conf as explained in the rsync manual
[foo_dir]
comment = Provides read-only access to foo
path = /path/to/foo
read only = yes
exclude = logs
# can't chroot since running as a regular user
use chroot = no
Then back on the Debian machine:
$ rsync -av --rsh="ssh rsync" ::foo_dir local_dir
or use whatever options you need when using rsync.
--
Bill Moseley
moseley@hank.org
Reply to: