SSH Usage (OpenSSH)
Jump to navigation
Jump to search
This article deals with SSH authentication and usage. SSH allows you to do many things, including sending commands to a remote server.
Public Key Authentication
- Public key authentication allows you to log in via SSH, without supplying a password. The server will use your public key to send you a challenge, that you will decrypt on the client side with your private key. To get public key authentication working, follow the following steps:
- Generate a RSA public/private key pair on the client with ssh-keygen.
- Transfer the public key on the server, and append it to the file ~/.ssh/authorized_keys. Note that this is dependent on the user you want to log as; if you want to use your key to log in as several users, you must add it to the authorized_keys file of each user.
chmod 700 .ssh chmod 600 .ssh/authorized_keys cat ../id_dsa.pub >> authorized_keys
- Make sure that the server configuration allows public key authentication.
- Public key authentication requires strict permissions on several files and directories: $HOME, $HOME/.ssh/ and $HOME/.ssh/authorized_keys. Else it simply won't work. On $HOME, only the user should be able to write. On the $HOME/.ssh/ and $HOME/.ssh/authorized_keys, even read access should be restricted to the user.
- Beware of the format of the id_rsa.pub file. If you make a mistake, for example add a new line, parsing will fail and will confuse OpenSSH.
Multiple keys
- Sometimes it is useful for a particular user to have several different keys. For example, if you access a Subversion repository via the standard SSH method, a command will be invoked when you login on the server. This prevents "normal" usage of ssh. In this case, create another key and modify your .ssh/config file:
Host svn.shoopz.com HostName svn.shoopz.com IdentityFile /home/elvanor/.ssh/id_dsa_svn User elvanor IdentitiesOnly yes
- This will tell SSH to always use the key id_dsa_svn when connecting to svn.shoopz.com. Note the IdentitiesOnly line is extremely important; it tells ssh to not ask keychain for authentified keys (or something like that, I don't know exactly the details, but if you use Gentoo's keychain package, include this line).
Keychain
- After you emerged keychain, it is important to add the following lines to ~/.bash_profile:
keychain ~/.ssh/id_dsa source ~/.keychain/$HOSTNAME-sh