sysadmin/linux/howto-ssh-with-rsa-keys-%28passwordless-login%29.txt

$Id: howto-ssh-with-rsa-keys-(passwordless-login).txt,v 1.2 2003/03/20 05:57:31 joko Exp $

$Log: howto-ssh-with-rsa-keys-(passwordless-login).txt,v $
Revision 1.2  2003/03/20 05:57:31  joko
updated

Revision 1.1.1.1  2002/02/11 01:22:17  cvsjoko
first checkin'


------------------------------------------------------------------------------
1. local machine (e.g.: your laptop) (want to login to remote one)

  THIS METHOD IS a) CLUMSY AND b) DANGEROUS!!!
  PLEASE USE METHOD 2. TO DO THIS!

  - check if you can login to the remote machine 
    via "normal" password authentication:
    - ssh <username>@<remote_machine>

  - create keys:
    - rsa-keys: ssh-keygen
    - dsa-keys: ssh-keygen -d

  - create authorized_keys:
    - cd ~/.ssh/
    - rsa-keys: cat identity.pub >> authorized_keys
    - dsa-keys: cat id_dsa.pub >> authorized_keys

  - take care of proper file-permissions
    - chmod -R og-rwx ~/.ssh

  - authorize remote machines / distribute "authorized_keys"
    - scp authorized_keys <username>@<remote_machine>:~/.ssh/
      this is dangerous!!! it will overwrite the "authorized_keys" file completely

  - test login to remote machine
    - ssh <remote_machine>

2. remote machine (e.g.: a backup server) (want to login to this one)

  which is machine is what?
    <worker>  the machine you are working on
    <remote>  the machine you want to log in
  
  which account is what?
    <service> is the account on <worker> (this one might execute some cronjobs)
    <joko_backup> is the account on <remote>

  [key generation] one-time preparations needed for <worker>:
    x useradd service
    x su service
    x ssh-keygen -d
  
  [key distribution] to be executed on <remote>:
    x useradd joko_backup
    x su joko_backup
    x ssh service@<worker> "cat ~/.ssh/id_dsa.pub" >> ~/.ssh/authorized_keys
      the (") with the first (remote) command are important!
      otherwise your *local* shell would expand the tilde (~)
      
  [key distribution] to be executed on <worker>:
    This is an alternative to above if the account on <remote> already exists,
    and it is somehow required not to execute commands 
    actively/manually at the <remote> side. Picture this: "the worker works".
    #> cat ~/.ssh/id_dsa.pub | ssh joko@netfrag.org "cat - >> ~/.ssh/authorized_keys"
    #> cat ~/.ssh/id_dsa.pub | ssh joko@gharb.tune.sytes.net "cat - >> ~/.ssh/authorized_keys"
    
    If the account at remote side doesn't exists,
    this shortcut might create it from the <worker> side as well:
      x ssh root@<remote> "useradd joko_backup"
  
  [login] test it on <worker>:
    x su service
    x ssh joko_backup@<remote-machine>

------------------------------------------------------------------------------

    
------------------------------------------
  annotiations
------------------------------------------
- transfer files via ZMODEM-protocol and TeraTerm
  - on remote machine
    - sz <file1> <file2> <fileX>
    - in TeraTerm, do 
       - File/Change Directory ...
       - File/Transfer/ZMODEM/Recieve
       
       
1	joko	1.3	$Id: howto-ssh-with-rsa-keys-(passwordless-login).txt,v 1.2 2003/03/20 05:57:31 joko Exp $
2	cvsjoko	1.1
3	joko	1.2	$Log: howto-ssh-with-rsa-keys-(passwordless-login).txt,v $
4	joko	1.3	Revision 1.2 2003/03/20 05:57:31 joko
5			updated
6
7	joko	1.2	Revision 1.1.1.1 2002/02/11 01:22:17 cvsjoko
8			first checkin'
9	cvsjoko	1.1
10
11	joko	1.2
12			------------------------------------------------------------------------------
13			1. local machine (e.g.: your laptop) (want to login to remote one)
14
15			THIS METHOD IS a) CLUMSY AND b) DANGEROUS!!!
16			PLEASE USE METHOD 2. TO DO THIS!
17
18			- check if you can login to the remote machine
19			via "normal" password authentication:
20			- ssh <username>@<remote_machine>
21
22			- create keys:
23			- rsa-keys: ssh-keygen
24			- dsa-keys: ssh-keygen -d
25
26			- create authorized_keys:
27			- cd ~/.ssh/
28			- rsa-keys: cat identity.pub >> authorized_keys
29			- dsa-keys: cat id_dsa.pub >> authorized_keys
30
31			- take care of proper file-permissions
32			- chmod -R og-rwx ~/.ssh
33
34	cvsjoko	1.1	- authorize remote machines / distribute "authorized_keys"
35			- scp authorized_keys <username>@<remote_machine>:~/.ssh/
36	joko	1.2	this is dangerous!!! it will overwrite the "authorized_keys" file completely
37
38	cvsjoko	1.1	- test login to remote machine
39			- ssh <remote_machine>
40	joko	1.2
41			2. remote machine (e.g.: a backup server) (want to login to this one)
42
43			which is machine is what?
44			<worker> the machine you are working on
45			<remote> the machine you want to log in
46
47			which account is what?
48			<service> is the account on <worker> (this one might execute some cronjobs)
49			<joko_backup> is the account on <remote>
50
51			[key generation] one-time preparations needed for <worker>:
52			x useradd service
53			x su service
54			x ssh-keygen -d
55
56			[key distribution] to be executed on <remote>:
57			x useradd joko_backup
58			x su joko_backup
59			x ssh service@<worker> "cat ~/.ssh/id_dsa.pub" >> ~/.ssh/authorized_keys
60			the (") with the first (remote) command are important!
61			otherwise your local shell would expand the tilde (~)
62
63			[key distribution] to be executed on <worker>:
64			This is an alternative to above if the account on <remote> already exists,
65			and it is somehow required not to execute commands
66			actively/manually at the <remote> side. Picture this: "the worker works".
67			#> cat ~/.ssh/id_dsa.pub \| ssh joko@netfrag.org "cat - >> ~/.ssh/authorized_keys"
68	joko	1.3	#> cat ~/.ssh/id_dsa.pub \| ssh joko@gharb.tune.sytes.net "cat - >> ~/.ssh/authorized_keys"
69	joko	1.2
70			If the account at remote side doesn't exists,
71			this shortcut might create it from the <worker> side as well:
72			x ssh root@<remote> "useradd joko_backup"
73
74			[login] test it on <worker>:
75			x su service
76			x ssh joko_backup@<remote-machine>
77
78			------------------------------------------------------------------------------
79	cvsjoko	1.1
80
81			------------------------------------------
82			annotiations
83			------------------------------------------
84			- transfer files via ZMODEM-protocol and TeraTerm
85			- on remote machine
86			- sz <file1> <file2> <fileX>
87			- in TeraTerm, do
88			- File/Change Directory ...
89			- File/Transfer/ZMODEM/Recieve
90
91
MailToCvsAdmin">MailToCvsAdmin	ViewVC Help
Powered by ViewVC 1.1.26