SSH & Public Keys
Hi everyone, I was wondering if anyone could advise me on how to accomplish the following, which I know is possible, but haven't had success in doing. I use ssh and scp a lot, so I would like to avoid typing in my password every time I want to copy a file, or type a command on my remote server. I know that I should copy my identity.pub, and put it in ~/.ssh over on the remote server, but what else do I need to do? It seems that isn't enough, as I still have to type my password to login. Thanks, Tim -- ----------------------------------------------------------------- Timothy R. Butler Universal Networks tbutler@uninetsolutions.com ICQ #12495932 AIM: Uninettm Free/Open Source Web Tools: http://www.uninetsolutions.com Christian Portal and Search Tool: http://www.faithtree.com ============== "Christian Web Services Since 1996" ==============
on the client, do this ssh-keygen and enter no passphrase. this generates an identity and an identity.pub in /home/username/.ssh/ now copy the identity.pub to the remote machine and put it in /home/username/.ssh/ but rename it to authorized_keys now try to login via ssh and it should just go without a password prompt On Tue, 28 Aug 2001, Timothy R.Butler wrote:
Hi everyone, I was wondering if anyone could advise me on how to accomplish the following, which I know is possible, but haven't had success in doing. I use ssh and scp a lot, so I would like to avoid typing in my password every time I want to copy a file, or type a command on my remote server. I know that I should copy my identity.pub, and put it in ~/.ssh over on the remote server, but what else do I need to do? It seems that isn't enough, as I still have to type my password to login.
Thanks, Tim
-- ----------------------------------------------------------------- Timothy R. Butler Universal Networks tbutler@uninetsolutions.com ICQ #12495932 AIM: Uninettm Free/Open Source Web Tools: http://www.uninetsolutions.com Christian Portal and Search Tool: http://www.faithtree.com ============== "Christian Web Services Since 1996" ==============
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com
Chad Whitten Network/Systems Administrator Nexband Communications chadwick@nexband.com
Hello, Thanks for the suggestion, unfortunately it doesn't seem to want to work. Do I need to create any other files? Perhaps a "known_hosts" file or something? Thanks, Tim On Tuesday 28 August 2001 12:47 pm, dog@intop.net wrote:
on the client, do this ssh-keygen and enter no passphrase. this generates an identity and an identity.pub in /home/username/.ssh/ now copy the identity.pub to the remote machine and put it in /home/username/.ssh/ but rename it to authorized_keys now try to login via ssh and it should just go without a password prompt
On Tue, 28 Aug 2001, Timothy R.Butler wrote:
Hi everyone, I was wondering if anyone could advise me on how to accomplish the following, which I know is possible, but haven't had success in doing. I use ssh and scp a lot, so I would like to avoid typing in my password every time I want to copy a file, or type a command on my remote server. I know that I should copy my identity.pub, and put it in ~/.ssh over on the remote server, but what else do I need to do? It seems that isn't enough, as I still have to type my password to login.
Thanks, Tim
-- ----------------------------------------------------------------- Timothy R. Butler Universal Networks tbutler@uninetsolutions.com ICQ #12495932 AIM: Uninettm Free/Open Source Web Tools: http://www.uninetsolutions.com Christian Portal and Search Tool: http://www.faithtree.com ============== "Christian Web Services Since 1996" ==============
-- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com
Chad Whitten Network/Systems Administrator Nexband Communications chadwick@nexband.com
-- ----------------------------------------------------------------- Timothy R. Butler Universal Networks tbutler@uninetsolutions.com ICQ #12495932 AIM: Uninettm Free/Open Source Web Tools: http://www.uninetsolutions.com Christian Portal and Search Tool: http://www.faithtree.com ============== "Christian Web Services Since 1996" ==============
On 28 Aug 2001 13:47:14 -0400, dog@intop.net wrote:
on the client, do this ssh-keygen and enter no passphrase. this generates an identity and an identity.pub in /home/username/.ssh/ now copy the identity.pub to the remote machine and put it in /home/username/.ssh/ but rename it to authorized_keys now try to login via ssh and it should just go without a password prompt
This is a bad idea, IMHO. You should always use a passphrase with your SSH keys. You should have some form of proof of identity if you want to use ssh -- preferably either a passphrase or an authorized key held by ssh-agent. Otherwise, if say, your account gets compromised and the cracker finds that your ssh key has no passphrase, he only needs to look at the authorized_keys file for a list of your accounts on other hosts he can try. Bad news. Daniel
On Tuesday 28 August 2001 03:16 pm, Daniel Prosser wrote:
On 28 Aug 2001 13:47:14 -0400, dog@intop.net wrote:
on the client, do this ssh-keygen and enter no passphrase. this generates an identity and an identity.pub in /home/username/.ssh/ now copy the identity.pub to the remote machine and put it in /home/username/.ssh/ but rename it to authorized_keys now try to login via ssh and it should just go without a password prompt
This is a bad idea, IMHO. You should always use a passphrase with your SSH keys. You should have some form of proof of identity if you want to use ssh -- preferably either a passphrase or an authorized key held by ssh-agent. Otherwise, if say, your account gets compromised and the cracker finds that your ssh key has no passphrase, he only needs to look at the authorized_keys file for a list of your accounts on other hosts he can try. Bad news.
Daniel
I agree with Daniel, wasn't this how sourceforge was cracked? IMHO, insecurity for the sake of convenience is always the worst policy. -Steven -- -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Steven Hatfield http://www.knightswood.net Registered Linux User #220336 ICQ: 7314105 Useless Machine Data: Running SuSE Linux 7.2 Professional and KDE2.2 3:23pm up 8 days, 18:27, 1 user, load average: 0.39, 0.27, 0.13 -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Random Quote: There is no substitute for good manners, except, perhaps, fast reflexes.
I use ssh and scp a lot, so I would like to avoid typing in my password every time I want to copy a file, or type a command on my remote server. I know that I should copy my identity.pub, and put it in ~/.ssh over on the remote server, but what else do I need to do? It seems that isn't enough, as I still have to type my password to login.
There are a couple more steps you have to take. Put the contents of the identity.pub file into ~/.ssh/authorized_hosts on the machine you wish to log into. If you have a pass-phrase on the private key, you will probably want to run ssh-agent during login. This way you will only have to type the passphrase once for your login session. You may also want to consider moving to ssh2 rather than ssh1 due to some problems with the protocol. Use ssh-keygen -t to generate ssh2 keys. Then copy then contents of .ssh/id_dsa.pub or .ssh/id_rsa.pub to ~/.ssh/authorized_hosts2 on the remote machine. Email me directly if you have any more questions -- Brian Youngstrom briany@altavista.net
On 28 Aug 2001 13:37:32 -0400, Timothy R.Butler wrote:
I use ssh and scp a lot, so I would like to avoid typing in my password every time I want to copy a file, or type a command on my remote server. I know that I should copy my identity.pub, and put it in ~/.ssh over on the remote server, but what else do I need to do? It seems that isn't enough, as I still have to type my password to login.
You need to run ssh-agent on the local machine to make your private key available and ssh-add to add it to the agent. I have the following lines in my .bash_profile: eval `/usr/bin/ssh-agent` /usr/bin/ssh-add This will add two variables to your environment: SSH_AGENT_PID=xxx SSH_AUTH_SOCK=/tmp/ssh-XXXXXXXX/agent.xxx If you're running Gnome, ssh-askpass will pop up a box for you to enter your passphrase when you login. (Not sure about KDE; I think it will automatically do this even without those lines, as long as it finds a private SSH key under your home directory.) On the remote machine, make sure you copy your local identity.pub into ~/.ssh/authorized_keys, instead of ~/.ssh/identity.pub. I actually collect all of my public keys into one authorized_keys file and use scp to transfer it. Daniel
Op dinsdag 28 augustus 2001 20:24, schreef Daniel Prosser:
You need to run ssh-agent on the local machine to make your private key available and ssh-add to add it to the agent. I have the following lines in my .bash_profile:
eval `/usr/bin/ssh-agent` /usr/bin/ssh-add
This will add two variables to your environment: SSH_AGENT_PID=xxx SSH_AUTH_SOCK=/tmp/ssh-XXXXXXXX/agent.xxx
If you're running Gnome, ssh-askpass will pop up a box for you to enter your passphrase when you login. (Not sure about KDE; I think it will automatically do this even without those lines, as long as it finds a private SSH key under your home directory.)
For kde I created a "kde application/action" that executes ssh-add. This kde application can than be put in de .kde(2)/Autostart folder. During kde startup, a window will pop up asking you the passphrase. What do you actually mean with: <quote>
it will automatically do this even without those lines, as long as it finds a private SSH key under your home directory.) </quote>
What is a "private SSH key under your home directory", I thought that all the keys are being stored in ~/.ssh, with the directory only reachable for the user? -- Richard Bos For those who have no home the journey is endless
participants (6)
-
Brian Youngstrom -
Daniel Prosser -
dog@intop.net -
Richard Bos -
Steven Hatfield -
Timothy R.Butler