| [ Team LiB ] |
|
Recipe 6.4 Authenticating by Public Key (OpenSSH)6.4.1 ProblemYou want to set up public-key authentication between an OpenSSH client and an OpenSSH server. 6.4.2 Solution
6.4.3 DiscussionPublic-key authentication lets you prove your identity to a remote host using a cryptographic key instead of a login password. SSH keys are more secure than passwords because keys are never transmitted over the network, whereas passwords are (albeit encrypted). Also, keys are stored encrypted, so if someone steals yours, it's useless without the passphrase for decrypting it. A stolen password, on the other hand, is immediately usable. An SSH "key" is actually a matched pair of keys stored in two files. The private or secret key remains on the client machine, encrypted with a passphrase. The public key is copied to the remote (server) machine. When establishing a connection, the SSH client and server perform a complex negotiation based on the private and public key, and if they match (in a cryptographic sense), your identity is proven and the connection succeeds. To set up public-key authentication, first create an OpenSSH key pair, if you don't already have one: $ ssh-keygen -t dsa Generating public/private dsa key pair. Enter file in which to save the key (/home/smith/.ssh/id_dsa): <RETURN> Enter passphrase (empty for no passphrase): ******* Enter same passphrase again: ******* Your identification has been saved in id_dsa Your public key has been saved in id_dsa.pub. The key fingerprint is: 76:00:b3:e8:99:1c:07:9b:84:af:67:69:b6:b4:12:17 smith@mymachine Copy the public key to the remote host using password authentication: $ scp ~/.ssh/id_dsa.pub remoteuser@remotehost: Password: ********* id_dsa.pub 100% |*****************************| 736 00:03 Log into the remote host using password authentication: $ ssh -l remoteuser remotehost Password: ******** If your local and remote usernames are the same, you can omit the -l remoteuser part and just type ssh remotehost. On the remote host, create the ~/.ssh directory if it doesn't already exist and set its mode appropriately: remotehost$ mkdir -p ~/.ssh remotehost$ chmod 700 ~/.ssh Then append the contents of id_dsa.pub to ~/.ssh/authorized_keys: remotehost$ cat id_dsa.pub >> ~/.ssh/authorized_keys (Appending) remotehost$ chmod 600 ~/.ssh/authorized_keys Log out of the remote host and log back in. This time you'll be prompted for your key passphrase instead of your password: $ ssh -l remoteuser remotehost Enter passphrase for key '/home/smith/.ssh/id_dsa': ******* and you're done! If things aren't working, rerun ssh with the -v option (verbose) to help diagnose the problem. The SSH server must be configured to permit public-key authentication, which is the default: /etc/ssh/sshd_config: PubkeyAuthentication yes If no, change it and restart sshd For more convenience, you can eliminate the passphrase prompt using ssh-agent [Recipe 6.9] and create host aliases in ~/.ssh/config. [Recipe 6.12] 6.4.4 See Alsossh(1), scp(1), ssh-keygen(1).  |
| [ Team LiB ] |
|
