Re: [Fwd: Re: Debian SSH server configuration]
On Tue, Apr 25, 2006 at 09:26:05PM -0400, Bruce Corbin wrote:
> Thanks. I'll read up on certificates and read the link at the bottom of
> your reply. It's not sinking in at the moment but hopefully it will
> after a little reading.
>
> With respect to the problem: I want to have files on my "server" at
> home and have my laptop be the only "out of house" machine that can
> access them. This much I have already, but I enter a password to get
> in. I may be off base, but it seems like I should be able to have the
> key on the laptop and get in without using a password or pass phrase.
> It isn't really a big deal, but it bothers me that I think I should be
> able to do it but I can't find a way.
>
OK. As your user, run ssh-keygen -t dsa -b 2048
[Generates a key, DSA, 2048 bits] or similar.
When it asks you for a passphrase, hit <Enter> twice - you have a null
passphrase (which is fractionally less secure but that's probably OK.)
Carrying out the above process creates a .ssh directory underneath your
home directory. In it you should find an id_dsa and an id_dsa.pub
PUBLIC is in capitals below only for emphasis: try hard not to copy
private keys anywhere :)
id_dsa.pub is your PUBLIC key on that machine. That's the key you copy
over. id_dsa is your PRIVATE key: that never goes anywhere and should be
kept safe.
Touch a file in the ssh directory which will hold the keys from other
machines - it must be called authorized_keys. Change its ownership
to 0600 - read/write only for the owner. You need one of these files
on each machine for passwordless login.
touch authorized_keys ; chmod 0600 authorized_keys
You need to copy across PUBLIC keys from other machines that you want
to access to this file: similarly, they need the PUBLIC key from this
machine.
If the other machine is called foo and this one is bar and you are user myuser
- scp foo's public key to the .ssh directory on bar
<bar> cd ~/.ssh
<bar> scp foo:/home/myuser/.ssh/id_dsa.pub foo_id_dsa.pub
<bar> cat foo_id_dsa.pub >> authorized_keys
Same the other way on foo with bar's keys.
<foo> cd ~/.ssh scp bar:/home/myuser/.ssh/id_dsa.pub bar_id_dsa.pub
<foo> cat bar_id_dsa.pub >> authorized_keys
Now try an ssh from one to the other. Once you're satisfied, then you
can delete the foo/bar_id_dsa.pub copies.
This is all more than explained in various FAQ's and, excellently, in
the O'Reilly book on SSH.
> Another application for this is that it is a server oriented way of
> avoiding the man-in-the-middle issue for the first connection. I
> currently have no concern over this, but it is another example.
>
> Thank you,
You're welcome.
> Bruce
>
Andy
Reply to: