Re: SSH con claves publica y privadas RSA
Eliminé mi nombre de usuario por USERNAME y el ip por 000.000.000.000
CLIENT es el hostname del cliente y SERVER el del servidor :)
Lo cree sin passphrase a pesar de que eso NO se debe hacer. Mejor
utiliza ssh-agent y/o keychain.
El config file del servidor es el DEFAULT!!! abajo te lo coloqué.
Las líneas que inician con *** son comentarios.
-------------------------------------------------------------------
USERNAME@CLIENT:$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/USERNAME/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/USERNAME/.ssh/id_dsa.
Your public key has been saved in /home/USERNAME/.ssh/id_dsa.pub.
The key fingerprint is:
ee:c2:27:33:74:a9:f3:2f:de:ed:f4:80:0f:71:63:64 USERNAME@CLIENT
***Ese comando genero el key sin el passphrase (NO se debe hacer)
USERNAME@CLIENT:$ ssh -l USERNAME 000.000.000.000 mkdir /home/USERNAME/.ssh
The authenticity of host '000.000.000.000 (000.000.000.000)' can't be
established.
RSA key fingerprint is 13:64:f9:e6:1e:d2:8b:68:ac:9e:60:af:6c:17:a6:0d.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '000.000.000.000' (RSA) to the list of known
hosts.
Password:
***Cree el directorio de .ssh en el server porque no existía. No había
utilizado ssh desde el servidor. Es mas, lo instale sólo para el ejemplo.
USERNAME@CLIENT:$ scp .ssh/id_dsa.pub
USERNAME@000.000.000.000:/home/USERNAME/.ssh/authorized_keys
Password:
id_dsa.pub
100% 600 0.6KB/s 00:00
***Copiando el pub key al SERVIDOR
USERNAME@CLIENT:$ ssh -l USERNAME 000.000.000.000
Linux SERVER 2.4.27-2-386 #1 Mon May 16 16:47:51 JST 2005 i686 GNU/Linux
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
USERNAME@SERVER:~$
***Listo, se conecto sin pedir password. Oh hasta tengo mail! :)
USERNAME@SERVER:~$ cat /etc/ssh/sshd_config
# Package generated configuration file
# See the sshd(8) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 600
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for
RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Change to yes to enable tunnelled clear text passwords
PasswordAuthentication no
# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no
# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes
X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
KeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
Subsystem sftp /usr/lib/sftp-server
UsePAM yes
USERNAME@SERVER:~$
Reply to: