[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

SSH Question <SOLVED>.

For the use of people who may be interested.  After my question here is
what I have found you need to do in order to allow a passwordless RSA
authenticated ssh or scp session between hosts.

Hope it's useful to some one out there...


Written By Adam: 06 November 1997

To set up passwordless SSH sessions between hosts which rely on RSA
for authentication rather then passwords, follow the steps below.

1. First make sure that there are ~/.ssh/identity and ~/.ssh/identity.pub
files (this is where the public and private keys are kept) on both hosts. 
If the host/user does not yet have a key pair then you need to generate
one by running 'ssh-keygen' (it's very straight forward, just run it). 

2. Next copy (from the client machine) the line from ~/.ssh/identity.pub
and put it in the ~/.ssh/authorized_keys file (make sure it doesn't line
wrap accidentally, it should be only one line per host authorized).  Check
permissions to make sure *only* the user has read privileges to the
private key! 

3. Next on the server machine make sure that these changes have been made
to the /etc/ssh/sshd_config file (you need to restart sshd if you made any

PermitRootLogin nopwd
RhostsAuthentication no
RhostsRSAAuthentication yes
RSAAuthentication yes

4. Create an ~/.shosts file on the server machine with an entry for the
host that you want to have access. It should contain one fully qualified
domain name per line.

5. Use SSH to connect *both* ways using the fully qualified domain name of
the server host in the command line, this is to make sure that host keys
are exchanged.  You may have to temporarily modify the hosts.[allow|deny]
files to allow the connection one way.

6. Test it with 'ssh -v hostname' and see what goes wrong.  The most
common problem I've run into is mismatched host keys, where the exchanged
keys use an inconsistently qualified host named (ie. the server looks for
'host.isp.net' in ~/.ssh/known_hosts but can only find 'host'). 

7. As Bruce says, "Have a beer".

------------------------ Internet Alaska --------------------------
 4050 Lake Otis		    Adam  Shand        (v) +1 907 562 4638
 Anchorage, Alaska     Systems Administrator   (f) +1 907 562 1677
----------------- http://larry.earthlight.co.nz -------------------

TO UNSUBSCRIBE FROM THIS MAILING LIST: e-mail the word "unsubscribe" to
debian-user-request@lists.debian.org . 
Trouble?  e-mail to templin@bucknell.edu .

Reply to: