Ssh Configure Public/Private Key Authentication: Difference between revisions
(Created page with "=Internal= * ssh =Overview= <font color=red>TODO https://home.feodorov.com:9443/wiki/Wiki.jsp?page=OpenSSHConfiguration#section-OpenSSHConfigurat...") |
No edit summary |
||
| Line 3: | Line 3: | ||
* [[ssh#Client_Operations|ssh]] | * [[ssh#Client_Operations|ssh]] | ||
= | =Procedure= | ||
==Create the OpenSSH Private/Public Key Pair== | |||
< | Run the following command on the machine you will be logging '''from''' and as the Unix user you will be using to connect: | ||
<pre> | |||
ssh-keygen -q -f ~/.ssh/id_rsa -t rsa | |||
Enter passphrase (empty for no passphrase): | |||
Enter same passphrase again: | |||
</pre> | |||
If you want password-less log in, use an empty string as passphrase. | |||
Make sure {{~/.ssh/id_rsa}} is {{-rw-------}}. | |||
On all machines you will be logging in __to__, place the content of the previously generated {{id_rsa.pub}} into {{~/.ssh/authorized_keys}} and make sure {{~/.ssh/authorized_keys}} is {{-rw-------}}. | |||
!Alternative Using ssh-copy-id | |||
|[ssh-copy-id] | |||
!!2. File Permission Concerns | |||
Make sure {{~/.ssh/id_rsa}} is {{-rw-------}}. | |||
Nake sure {{~/.ssh/authorized_keys}} is {{-rw-------}}. | |||
If the home directory in which .ssh resides is world writable, pub/pvt key authentication doesn't work and ssh falls back to password. | |||
!!3. Configuring the Server to Allow Public Key Authentication | |||
/etc/ssh/sshd_config must contain the following: | |||
{{{ | |||
... | |||
RSAAuthentication yes | |||
PubkeyAuthentication yes | |||
AuthorizedKeysFile .ssh/authorized_keys | |||
... | |||
}}} | |||
Note that I've seen server configured to use {{/etc/keys/%u/authorized_keys}}. If this is the case, place the authorized_keys file there, make it owned by the respective user and give it the appropriate permissions. | |||
Optional: Some servers list the users allowed to authenticate with public key under the "AllowUsers" directive: | |||
{{{ | |||
... | |||
AllowUsers admin jmp em | |||
... | |||
}}} | |||
Revision as of 19:49, 5 April 2017
Internal
Procedure
Create the OpenSSH Private/Public Key Pair
Run the following command on the machine you will be logging from and as the Unix user you will be using to connect:
ssh-keygen -q -f ~/.ssh/id_rsa -t rsa Enter passphrase (empty for no passphrase): Enter same passphrase again:
If you want password-less log in, use an empty string as passphrase.
Make sure Template:~/.ssh/id rsa is Template:-rw-------.
On all machines you will be logging in __to__, place the content of the previously generated Template:Id rsa.pub into Template:~/.ssh/authorized keys and make sure Template:~/.ssh/authorized keys is Template:-rw-------.
!Alternative Using ssh-copy-id
|[ssh-copy-id]
!!2. File Permission Concerns
Make sure Template:~/.ssh/id rsa is Template:-rw-------.
Nake sure Template:~/.ssh/authorized keys is Template:-rw-------.
If the home directory in which .ssh resides is world writable, pub/pvt key authentication doesn't work and ssh falls back to password.
!!3. Configuring the Server to Allow Public Key Authentication
/etc/ssh/sshd_config must contain the following:
{{{ ... RSAAuthentication yes PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys ... }}}
Note that I've seen server configured to use Template:/etc/keys/%u/authorized keys. If this is the case, place the authorized_keys file there, make it owned by the respective user and give it the appropriate permissions.
Optional: Some servers list the users allowed to authenticate with public key under the "AllowUsers" directive:
{{{ ... AllowUsers admin jmp em ... }}}