Tille - I can see you, read those man pages!   Tille's Site

Note

If you have the latest version of Solaris, or if you applied all recommendded patches, the little bug should be fixed and you can now follow the procedure as described in the man pages, i.e. using the file authorized_keys instead of authorized_keys2 as described in this text.

Setting up SSH keys

This setup will allow you to log in to another account without having to provide the password. This document is mainly helpful on Solaris, where new versions have been mixed with old naming conventions. On Linux it is less confusing and you can just use the man pages.

I would normally object to using ssh-keys, but sometimes there really isn't much choice if you want remote execution of your programs to be safe. man ssh-keygen is a start, but this document might need some clarifying for beginners.

Step by step guide for setting up ssh keys

This document concentrates on SSH2, the second version of SSH. Don't use the first version any longer, it contains security bugs. Also older versions of the second version might contain security bugs. Check with ssh -V that your version matches the latest available from OpenSSH. On Solaris it says something about SunSSH version x.y, but at the end of the output line you will see what actual ssh versions this is compatible with.

  1. If you can't find any of the SSH commands (ssh and scp for instance) on your system, get the SSH package first and install it. This suite should also install the ssh-keygen command on your machine. Make sure that SSH is installed on every system that you want to access. Starting from Solaris 9, SSH is included in the distribution.

    If you can't find a package suitable for your Unix/Linux version, refer to http://www.openssh.org for the source, download, unpack, read the README, compile and install. Systems missing OpenSSL have to add that package as well, for SSH to work. Test, e.g. ssh localhost; this will create a .ssh subdirectory in your home directory.

  2. Read man ssh-keygen.

  3. In your ~/.ssh directory, create your personal SSH key:

    user@host1:~/.ssh> ssh-keygen -t dsa
    
    

    This creates id_dsa and id_dsa.pub in ~/.ssh.

    If you want to enable remote connections that don't require a password, DO NOT enter a passphrase! If you do enter a non-empty passphrase, when connecting to the remote host you will be asked for the passphrase instead of for the password!

  4. Append the public key to the file authorized_keys2:

    user@host1:~/.ssh> cat id_dsa.pub >> authorized_keys2
    

    Don't worry if authorized_keys2 does not yet exist before executing this command.

    Sun provides SSH in Solaris starting from release version 9, but uses SSH version 1 naming conventions. On a Solaris 9 system, use the authorized_keys file instead of authorized_keys2.

    Now, you should already be able to make a secure connection to your own machine, using this account, without having to provide a password.

  5. Check permissions on your keys, refer to the man page. The id_dsa file should be private, the other keys world readable.

  6. On the remote host, generate keys in the same way for your account on that host.

  7. Copy your public key into ~/.ssh/ on the remote host.

    user@host1:~/.ssh> scp id_dsa.pub host2:/your/remote/home/.ssh/host1.key.pub
    user@host2's password:
    id_dsa.pub            100% |*****************************|   236       00:00
    
  8. Do the same thing for the remote key, copy it into your local ~/.ssh directory:

    user@host1:~/.ssh> scp host2:/your/remote/home/.ssh/id_dsa.pub ./host2.key.pub
    user@host2's password:
    id_dsa.pub            100% |*****************************|   236       00:00
    
  9. On both hosts, append the key from the other host to the file authorized_keys2:

    user@host1:~/.ssh> cat host2.key.pub >> authorized_keys2
    

    And also

    user@host2:~/.ssh> cat host1.key.pub >> authorized_keys2
    
  10. That's it, try to connect to the remote host now, it should do something similar to this:

    user@host1:~/.ssh> ssh host2
    Last login: Fri Sep 20 08:43:20 2002 from :0
    user@host2>
    

Troubleshooting

If things don't work, check the logs, possibly in /var/log/secure. This file contains useful information, such as:

Feb 13 17:54:46 octarine sshd[26446]: Authentication refused: bad ownership or 
modes for file /home/tille/.ssh/authorized_keys

Most likely, too much permissions is the problem.

On Solaris, by default ssh as root is not allowed. Edit /etc/ssh/sshd_config and change the PermitRootLogin directive. Restart sshd for these changes to take effect.

Also on Solaris, make sure that you use the file ~/.ssh/authorized_keys, without the 2 suffix. Solaris uses version 2 of ssh but without the version 2 naming convention!

A typical entry in ~/.ssh/authorized_keys(2) looks like this:

ssh-dss AAAAB3NzaC1kc3MAAACBAOk6t1czfh7nV9sb0syK1CebJ/6nwLb9OPLr0LcqcE1J8GYbePDVfgerUIJSpn1UDmujH8emiLR30y9BQN9JU+XmEc5Ab1rrwHWEMahWgZANgEmQt4FmgBNfv+BFGn/tRmdcHX07mauLbAB3Uf8sIISujxEARNYknBnt39uBxv1HAAAAFQCoRN6CXBpYH5VjOzbO4EujcTdXkQAAAIAMUxdVJ6CAFE54a3mdvVO0OWOzhvS8w0iCBbZMdDbzqxmqEexAh8PHaZM5oMN1VzhO9HX7qxjlZCqffzZOwepOMPWv5pWabtEf5hfWa4xb4QkLqZC42JhHtUr7KUUnJwkvaoLwKjOcWERAQY5anvABcUE/h5CbOS4fh0M21lPdnAAAAIBaZuS3a2qdrtYX/fJ72Bp1kAt9qDq7apMOnA0m4vIgO3olZ1FjDEka8qEWut3qchgBrvfYBpNyuJ0OXMVLciingYkfAs7a6nl8avMmW3LM37Gkgt06LP+hfdgetsdhsyHAd7dlSS9VV1wDloE1fwkJSjtSLbdeJSImyeATWIgTpbh8Crg== tille@ridcully.soti.org

If you can't connect to a remote host using a particular username on that host, check that the appropriate key is in your authorized_keys(2) file, and that the remote hostname, encryption method and username exist.

Use ssh -v, scp -v or sftp -v to display verbose output and analyze any other problems that you might come across.

Home
© 1995-2010 Machtelt Garrels - tille - Powered by vIm - Best viewed with your eyes - Validated by W3C - Last update 20100511