RE: [opensuse] rsync - keys - no-password question
-----Original Message----- From: Carl Hartung [mailto:suselinux@cehartung.com] Sent: Thursday, December 13, 2007 6:38 PM To: opensuse@opensuse.org Subject: Re: [opensuse] rsync - keys - no-password question On Thu December 13 2007 08:24:19 pm James D. Parra wrote:
how do you accomplish having the ssh keys set properly on the target machine from two different source machines?
This may only get you part of the way but here goes: Combine the series of source-side public keys into a single 'authorized_keys' file that 'lives' on the target machine. Something like 'cat client1_key.pub client2_key.pub client3_key.pub >authorized_keys' should do it. As far as placement on the target system, in my case... I log into the same server from different desktops... the file lives in ~/.ssh, i.e. ~~~~~~~~~~~~~~~~~~~~~~~~``` Thank you. I received the following byte error, but documentation show that this is possible; # ssh-keygen -t dsa -b 2048 -f /root/rsync/mirror-rsync-key DSA keys must be 1024 bits <snip> How can I make this 2048? Thank you, ~James -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri December 14 2007 02:40:25 pm James D. Parra wrote:
# ssh-keygen -t dsa -b 2048
What happens if you reduce 2048 to 1024, above? Carl -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri December 14 2007 02:40:25 pm James D. Parra wrote:
How can I make this 2048?
Addendum: I misread your last question, above, so please disregard my last reply. At this point, I'd probably just do a Google search using well thought out phrases until a good article popped up. ;-) We've established that it /can/ be done. All that's lacking are the finer details. Please post the solution when you find it, okay? I'll add it to my library and I suspect some others will, as well. TIA, good luck & regards, Carl -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
James D. Parra wrote:
-----Original Message----- From: Carl Hartung [mailto:suselinux@cehartung.com] Sent: Thursday, December 13, 2007 6:38 PM To: opensuse@opensuse.org Subject: Re: [opensuse] rsync - keys - no-password question
On Thu December 13 2007 08:24:19 pm James D. Parra wrote:
how do you accomplish having the ssh keys set properly on the target machine from two different source machines?
This may only get you part of the way but here goes:
Combine the series of source-side public keys into a single 'authorized_keys' file that 'lives' on the target machine. Something like
'cat client1_key.pub client2_key.pub client3_key.pub >authorized_keys' should do it. As far as placement on the target system, in my case... I log into the same server from different desktops... the file lives in ~/.ssh, i.e.
~~~~~~~~~~~~~~~~~~~~~~~~```
Thank you. I received the following byte error, but documentation show that this is possible;
# ssh-keygen -t dsa -b 2048 -f /root/rsync/mirror-rsync-key DSA keys must be 1024 bits <snip>
How can I make this 2048?
1024 is more than sufficient. Just use ssh-keygen -t dsa. James, the simple way to do this is to just generate a public key on each machine in the .ssh dir. You can to this totally by ssh. Then for each machine, (1) make a copy of the id_dsa.pub file and call it id_dsa.pub.<hostname>. Just make the copy in the .ssh directory. Appending the hostname allows you to copy the keys directly to the target machine .ssh dir without overwriting the existing public key on the target machine. (2) scp the id_dsa.pub.<hostname> to then target machine .ssh directory (3) ssh to the target machine and change to the .ssh directory and then use cat to append the new key to the authorized_keys file. "cat id_dsa.pub.<hostname> >> authorized_keys". You can add more keys later in the exact same manner. When you have done this for each local or remote machine your .ssh dir will look something like this: -rw-r--r-- 1 david users 5450 2007-11-09 15:21 authorized_keys -rw------- 1 david users 668 2005-12-07 22:41 id_dsa -rw-r--r-- 1 david users 603 2005-12-07 22:41 id_dsa.pub -rw-r--r-- 1 david users 612 2006-05-09 22:36 id_dsa.pub.bonza -rw-r--r-- 1 david users 604 2007-06-17 20:30 id_dsa.pub.kidsdell -rw-r--r-- 1 david users 605 2007-03-14 00:32 id_dsa.pub.lakehouse -rw-r--r-- 1 david users 603 2006-05-02 18:32 id_dsa.pub.nemesis -rw-r--r-- 1 david users 607 2007-10-20 00:06 id_dsa.pub.p35a -rw-r--r-- 1 david users 606 2006-08-13 12:19 id_dsa.pub.providence -rw-r--r-- 1 david users 607 2007-10-12 23:05 id_dsa.pub.rankin-p35 -rw-r--r-- 1 david users 605 2006-05-09 22:43 id_dsa.pub.rankin-xp -rw------- 1 david users 602 2007-11-09 15:20 id_dsa.pub.ripper -rw-r--r-- 1 david users 603 2006-01-27 09:35 id_dsa.pub.skyline -rw------- 1 david users 668 2007-05-17 20:29 id_dsa_putty -rw-r--r-- 1 david users 603 2007-05-17 20:29 id_dsa_putty.pub -rw-r--r-- 1 david users 602 2007-05-23 18:28 id_dsa_ripper.pub -rwx------ 1 david users 2260 2007-12-01 10:37 known_hosts* Note, you can also create keys for putty that will allow passwordless ssh access from windows via putty as well. You can always delete all the .hostname keys when you are done, but I keep them around so that if I add a new machine to the network, I can completely set up keyless access to the new machine from a single box. It also provides a backup of all machines keys as well. Just remember if you have scripts or cron jobs that need to run with root privileges, make sure you run the job as the user that has public key access between machines. -- David C. Rankin, J.D., P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sat December 15 2007 11:14:19 am David C. Rankin wrote:
James D. Parra wrote: how do you accomplish having the ssh keys set properly on the target machine from two different source machines? <snip> James, the simple way to do this is to just generate a public key on each machine in the .ssh dir. You can to this totally by ssh. Then for each machine,
Thanks for a great 'how to', David! It definitely covers gaps in my personal notes. In fact, I've just added to my collection... with attributions, of course, so you get credit when/if they reappear here. ;-) Is it still possible, though, that the 10.0 target and 9.3 source systems are cooperating in some way that the 10.2 source system cannot? Are you aware of any possible configuration or version conflicts that might be causing the symptoms that James has described? TIA & regards, Carl -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Carl Hartung wrote:
Is it still possible, though, that the 10.0 target and 9.3 source systems are cooperating in some way that the 10.2 source system cannot? Are you aware of any possible configuration or version conflicts that might be causing the symptoms that James has described?
Carl, I have used the same process since 9.0 and haven't run into any problems yet. This included 9.0 boxes talking to 10.0 and 10.3 boxes using the same setup without any complaint. The only thing I can think of is that one or more settings in /etc/ssh/sshd_config may be the culprit. I am by no means an expert on all of the settings, but usually just make sure to set "PermitRootLogin no" for security reasons. Other than that, I just use the defaults. My only guess is that there could be a PAM/ldap conflict if you are using ldap for managing user accounts and have "UsePAM yes" in the sshd_config. It has always just worked -- every time for me. I have a number of local and remote rsync scripts run by cron at 4:00 am each day for backup purposes and you can't ask for a better of simpler backup scheme than using password less ssh logins. -- David C. Rankin, J.D., P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sat December 15 2007 02:51:02 pm David C. Rankin wrote:
I have used the same process since 9.0 and haven't run into any problems yet. This included 9.0 boxes talking to 10.0 and 10.3 boxes using the same setup without any complaint.
Hi David, This is what I would have expected. I'm sure your explanation is going to help James sort it out. Thanks again for the 'how to'! ;-) regards, Carl -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (3)
-
Carl Hartung
-
David C. Rankin
-
James D. Parra