SSH Usage (OpenSSH)

From Elvanör's Technical Wiki
Revision as of 21:19, 11 January 2009 by Elvanor (talk | contribs)
Jump to navigation Jump to search

This article deals with SSH authentication and usage. SSH allows you to do many things, including sending commands to a remote server.

Public Key Authentication

  • Public key authentication allows you to log in via SSH, without supplying a password. The server will use your public key to send you a challenge, that you will decrypt on the client side with your private key. To get public key authentication working, follow the following steps:
    • Generate a RSA public/private key pair on the client with ssh-keygen.
    • Transfer the public key on the server, and append it to the file ~/.ssh/authorized_keys. Note that this is dependent on the user you want to log as; if you want to use your key to log in as several users, you must add it to the authorized_keys file of each user.
chmod 700 .ssh
chmod 600 .ssh/authorized_keys
cat ../id_dsa.pub >> authorized_keys
  • Make sure that the server configuration allows public key authentication.
  • Public key authentication requires strict permissions on several files and directories: $HOME, $HOME/.ssh/ and $HOME/.ssh/authorized_keys. Else it simply won't work. On $HOME, only the user should be able to write. On the $HOME/.ssh/ and $HOME/.ssh/authorized_keys, even read access should be restricted to the user.
  • Beware of the format of the id_rsa.pub file. If you make a mistake, for example add a new line, parsing will fail and will confuse OpenSSH.

Multiple keys

  • Sometimes it is useful for a particular user to have several different keys. For example, if you access a Subversion repository via the standard SSH method, a command will be invoked when you login on the server. This prevents "normal" usage of ssh. In this case, create another key and modify your .ssh/config file:
Host svn.shoopz.com
HostName svn.shoopz.com
IdentityFile /home/elvanor/.ssh/id_dsa_svn
User elvanor
IdentitiesOnly yes
  • This will tell SSH to always use the key id_dsa_svn when connecting to svn.shoopz.com. Note the IdentitiesOnly line is extremely important; it tells ssh to not ask keychain for authentified keys (or something like that, I don't know exactly the details, but if you use Gentoo's keychain package, include this line).

Keychain

  • After you emerged keychain, it is important to add the following lines to ~/.bash_profile:
keychain ~/.ssh/id_dsa
source ~/.keychain/$HOSTNAME-sh