[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Passwordless SSH setup

On Wed, Jun 02, 2004 at 01:02:08AM -0500, Will Trillich wrote:
> for passwordless SSH-ing, try this (and feel free to augment or
> correct if i overlook something)--
> 	localbox$ ssh-keygen -t dsa
> after some q&a (just answer with blanks, for passwordless
> connections) this creates a ~/.ssh/id_dsa.pub file that you can
> append to your remote systems' ~/.ssh/authorized_keys files:
> 	localbox$ scp ~/.ssh/id_dsa.pub me@remotebox:~/.ssh/localboxKey
> 	localbox$ ssh me@remotebox
> 	<password>
> 	remotebox$ cd ~/.ssh
> 	remotebox$ cat localboxKey >> authorized_keys
> 	remotebox$ chmod 600 authorized_keys
> 	remotebox$ rm localboxKey
> 	remotebox$ logout
> 	localbox$

For password-less keys I think they should be single use only.

My original question was about doing this to a machine running SSH
Corp's version.  Unfortunately, that machine has SSH Secure Shell 3.2.3
on it -- and in that version the manual pages were not updated to
explain how to create a single use key.  I emailed their tech support
and they sent me to 


which explains the options.

And in case anyone finds this in the archive, on SSH Secure Shell you
need to convert the keys.  So on Debian, create a keypair called "rsync"
and "rsync.pub"

   $ ssh-keygen -t dsa -f rsync

Then convert and copy to the other machine:

   $ ssh-keygen -e -f rsync.pub | ssh <remotehost> 'cat - > .ssh2/rsync.pub'

and in your .ssh/config file add something like this to use this
single-use key (needed because if you already have a key for the remote
host managed by ssh-agent then it will be used instead):

    Host rsync
        User foo
        HostName remote.host.name
        IdentitiesOnly yes
        IdentityFile ~/.ssh/rsync

which says to use only the identity (key) file(s) listed in the config file.
man ssh_config(5)

Then, on the remote host in .ssh/authorization set the "rsync.pub" key
for running a single command:

    key rsync.pub
    Options command="rsync --server  --daemon --config=rsync.conf ."

And setup rsync.conf as explained in the rsync manual

        comment = Provides read-only access to foo
        path = /path/to/foo
        read only = yes
        exclude = logs
        # can't chroot since running as a regular user
        use chroot = no

Then back on the Debian machine:

    $ rsync -av --rsh="ssh rsync" ::foo_dir local_dir

or use whatever options you need when using rsync.

Bill Moseley

Reply to: