sysadmin/linux/howto-ssh-with-rsa-keys-%28passwordless-login%29.txt

$Id: howto-ssh-with-rsa-keys-(passwordless-login).txt,v 1.1.1.1 2002/02/11 01:22:17 cvsjoko Exp $

$Log: howto-ssh-with-rsa-keys-(passwordless-login).txt,v $
Revision 1.1.1.1  2002/02/11 01:22:17  cvsjoko
first checkin'


------------------------------------------------------------------------------
1. local machine (e.g.: your laptop) (want to login to remote one)

  THIS METHOD IS a) CLUMSY AND b) DANGEROUS!!!
  PLEASE USE METHOD 2. TO DO THIS!

  - check if you can login to the remote machine 
    via "normal" password authentication:
    - ssh <username>@<remote_machine>

  - create keys:
    - rsa-keys: ssh-keygen
    - dsa-keys: ssh-keygen -d

  - create authorized_keys:
    - cd ~/.ssh/
    - rsa-keys: cat identity.pub >> authorized_keys
    - dsa-keys: cat id_dsa.pub >> authorized_keys

  - take care of proper file-permissions
    - chmod -R og-rwx ~/.ssh

  - authorize remote machines / distribute "authorized_keys"
    - scp authorized_keys <username>@<remote_machine>:~/.ssh/
      this is dangerous!!! it will overwrite the "authorized_keys" file completely

  - test login to remote machine
    - ssh <remote_machine>

2. remote machine (e.g.: a backup server) (want to login to this one)

  which is machine is what?
    <worker>  the machine you are working on
    <remote>  the machine you want to log in
  
  which account is what?
    <service> is the account on <worker> (this one might execute some cronjobs)
    <joko_backup> is the account on <remote>

  [key generation] one-time preparations needed for <worker>:
    x useradd service
    x su service
    x ssh-keygen -d
  
  [key distribution] to be executed on <remote>:
    x useradd joko_backup
    x su joko_backup
    x ssh service@<worker> "cat ~/.ssh/id_dsa.pub" >> ~/.ssh/authorized_keys
      the (") with the first (remote) command are important!
      otherwise your *local* shell would expand the tilde (~)
      
  [key distribution] to be executed on <worker>:
    This is an alternative to above if the account on <remote> already exists,
    and it is somehow required not to execute commands 
    actively/manually at the <remote> side. Picture this: "the worker works".
    #> cat ~/.ssh/id_dsa.pub | ssh joko@netfrag.org "cat - >> ~/.ssh/authorized_keys"
    
    If the account at remote side doesn't exists,
    this shortcut might create it from the <worker> side as well:
      x ssh root@<remote> "useradd joko_backup"
  
  [login] test it on <worker>:
    x su service
    x ssh joko_backup@<remote-machine>

------------------------------------------------------------------------------

    
------------------------------------------
  annotiations
------------------------------------------
- transfer files via ZMODEM-protocol and TeraTerm
  - on remote machine
    - sz <file1> <file2> <fileX>
    - in TeraTerm, do 
       - File/Change Directory ...
       - File/Transfer/ZMODEM/Recieve
       
       
1	$Id: howto-ssh-with-rsa-keys-(passwordless-login).txt,v 1.1.1.1 2002/02/11 01:22:17 cvsjoko Exp $
2
3	$Log: howto-ssh-with-rsa-keys-(passwordless-login).txt,v $
4	Revision 1.1.1.1 2002/02/11 01:22:17 cvsjoko
5	first checkin'
6
7
8
9	------------------------------------------------------------------------------
10	1. local machine (e.g.: your laptop) (want to login to remote one)
11
12	THIS METHOD IS a) CLUMSY AND b) DANGEROUS!!!
13	PLEASE USE METHOD 2. TO DO THIS!
14
15	- check if you can login to the remote machine
16	via "normal" password authentication:
17	- ssh <username>@<remote_machine>
18
19	- create keys:
20	- rsa-keys: ssh-keygen
21	- dsa-keys: ssh-keygen -d
22
23	- create authorized_keys:
24	- cd ~/.ssh/
25	- rsa-keys: cat identity.pub >> authorized_keys
26	- dsa-keys: cat id_dsa.pub >> authorized_keys
27
28	- take care of proper file-permissions
29	- chmod -R og-rwx ~/.ssh
30
31	- authorize remote machines / distribute "authorized_keys"
32	- scp authorized_keys <username>@<remote_machine>:~/.ssh/
33	this is dangerous!!! it will overwrite the "authorized_keys" file completely
34
35	- test login to remote machine
36	- ssh <remote_machine>
37
38	2. remote machine (e.g.: a backup server) (want to login to this one)
39
40	which is machine is what?
41	<worker> the machine you are working on
42	<remote> the machine you want to log in
43
44	which account is what?
45	<service> is the account on <worker> (this one might execute some cronjobs)
46	<joko_backup> is the account on <remote>
47
48	[key generation] one-time preparations needed for <worker>:
49	x useradd service
50	x su service
51	x ssh-keygen -d
52
53	[key distribution] to be executed on <remote>:
54	x useradd joko_backup
55	x su joko_backup
56	x ssh service@<worker> "cat ~/.ssh/id_dsa.pub" >> ~/.ssh/authorized_keys
57	the (") with the first (remote) command are important!
58	otherwise your local shell would expand the tilde (~)
59
60	[key distribution] to be executed on <worker>:
61	This is an alternative to above if the account on <remote> already exists,
62	and it is somehow required not to execute commands
63	actively/manually at the <remote> side. Picture this: "the worker works".
64	#> cat ~/.ssh/id_dsa.pub \| ssh joko@netfrag.org "cat - >> ~/.ssh/authorized_keys"
65
66	If the account at remote side doesn't exists,
67	this shortcut might create it from the <worker> side as well:
68	x ssh root@<remote> "useradd joko_backup"
69
70	[login] test it on <worker>:
71	x su service
72	x ssh joko_backup@<remote-machine>
73
74	------------------------------------------------------------------------------
75
76
77	------------------------------------------
78	annotiations
79	------------------------------------------
80	- transfer files via ZMODEM-protocol and TeraTerm
81	- on remote machine
82	- sz <file1> <file2> <fileX>
83	- in TeraTerm, do
84	- File/Change Directory ...
85	- File/Transfer/ZMODEM/Recieve
86
87
MailToCvsAdmin">MailToCvsAdmin	ViewVC Help
Powered by ViewVC 1.1.26