[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: SSH and RSA

On Mon, Feb 19, 2001 at 10:14:18AM -0800, Duane Powers wrote:
> Hi all,
> Recently I was made administrator over a dozen Solaris boxen <heh>
> The prior admin was offsite and used ssh with rsa keys to access the boxes.
> He allowed root login, and used the RSA key functionality to keep the root
> password safe.
> I am not as mature as he was regarding ssh <newbie> and have only used
> ssh as a plug in replacement to telnet, <I tend to not set a different 
> p/w during
> ssh-keygen> and simply access the boxes as follows: ssh -l <me> <hostname>
> then I login using the normal p/w that is local to the box. I have found 
> that he did
> not need to transmit the local password over the tunnel, but rather used 
> RSA to
> verify his identity, but I can't find documentation on how to do it. 
> <man ssh, man ssh-agent, man ssh-add, Practical UNIX & Internet 
> Security> does anyone have any information on how I can implement the 
> same safeguards? Or where I can at least find some documentation on 
> practical ssh implementation.

Ok... check your /etc/ssh/sshd_options file
You need to enable some options with RSA in their name, they are all there,
only commented out by default.

Next you need to go to your user's .ssh directory (the user/system you want
to ssh to... so root on your solaris boxes) and create a file called
authorized_keys (check the local sshd manual page for exact name, it will
differer between implementations) and append your public key to it so:

cat my-public-key >> ~/.ssh/authorized_keys

Then you should be able to login with your key and key passphrase, and not
the local account password.

I just tried it on my local system and it works great (using teraterm ssh
on windows to my debian linux box)

Here's the line from the sshd_options file:
RSAAuthentication yes

More info can be found in the sshd_options file and the manual page for
sshd (not ssh) ;)

Have fun...

> As always, You guys are great, thanks in advance for the help,
> ~duane

Mark Janssen                     Unix Consultant @ SyConOS IT
E-mail: mark@markjanssen.homeip.net    GnuPG Key Id: 357D2178
http: markjanssen.homeip.net and markjanssen.[com|net|org|nl]
Fax/VoiceMail: +31 20 8757555     Finger for GPG and GeekCode

Attachment: pgpLjYNFhilHs.pgp
Description: PGP signature

Reply to: