Shared Keys on Linux#

Here an example command:

$ ssh ndsuser@sh.svr.willeke.com "ls -l /var/nds/dib/*.TAO"

You do have to be in sh.svr.willeke.com as ndsuser, as the SSH configuration is unique for each shell account.

Here are the notes made to set this up on another host:

# Setting up password-less SSH access (Servers running OpenSSH -- EMR standard)
ssh-keygen -t rsa	## only have to do this once

# Repeat these steps on each remote system
scp ~/.ssh/id_rsa.pub ndsuser@serverName.svr.wilelke.com:mykey.pub
ssh ndsuser@serverName.svr.wilelke.com

# Run these commands in the remote shell
if [ ! -d ./.ssh ]; then mkdir ./.ssh; fi
cat mykey.pub >> .ssh/authorized_keys
rm mykey.pub

We worked with a client that was using F-Secure#

Here is what we did there.
# Setting up password-less SSH access (For servers running F-Secure -- rare these days)
# Convert the original OpenSSH key to v2
ssh-keygen -ef ~/.ssh/id_rsa.pub > ~/.ssh/my-secsh-key.pub
scp ~/.ssh/my-secsh-key.pub ndsuser@serverName.svr.wilelke.com:
ssh ndsuser@serverName.svr.wilelke.com
#
mv ./my-secsh-key.pub ./.ssh2/E017122.DTUSU33608RF.pub
echo "Key E017122.DTUSU33608RF.pub">>./.ssh2/authorization

The Agent#

The Agent is the program, ssh-agent, that runs on the local machine and acts as your proxy when an ssh command requires a passphrase.

Normally you would type a password or passphrase when requested by ssh or scp. However, the agent can provide the passphrase for you. The trick is telling the SSH commands to get the passphrase from the agent rather than you. First you must ``prime the agent and then you must ``attach the agent to one or more processes.

Priming the Agent

To ``prime the agent issue the following commands (on the local machine):

ssh_info_file=~/.ssh-agent-info-`hostname` ssh-agent >$ssh_info_file chmod 600 $ssh_info_file . $ssh_info_file ssh-add ~/.ssh/identity ssh-add ~/.ssh/id_dsa ssh-add ~/.ssh/id_rsa

Each ssh-add command will prompt you for the appropriate passphrase.

Note the output of hostname is appended to the name of the ssh agent info file. This distinguishes the name of the file from other instances of the file that may be created in a multi-host, shared home directory environment.

It's convenient to capture this sequence in a shell script:

  1. !/bin/bash
  2. Creates an ssh-agent, writes ssh agent info
  3. to the file '~/.ssh-agent-info-`hostname`' and then prompts
  4. user for keys. Then any shell can use the agent
  5. by sourcing the contents of ~/.ssh-agent-info-`hostname`:
  6. . ~/ssh-agent-info-`hostname`

ssh_info_file=~/.ssh-agent-info-`hostname` ssh-agent >$ssh_info_file chmod 600 $ssh_info_file . $ssh_info_file for i in identity id_dsa id_rsa do ssh-add .ssh/\$i done

Save this script as ssh_prime in your home directory. Now you can type:

source ssh_prime

You need only ``prime your agent once each time you reboot your machine. The agent will stay active across logins.

Now you should be able to connect, without entering a password, to all remote machines that have the public keys you generated earlier.

Note that the shell command source ssh_prime both primes the agent and attaches it to the current shell process (and its children). However, in some cases (example given below), you may need to explicitly attach the agent to a process after the agent has been primed.

Some helpful on urls:


When doing this from a Solaris-to-Windows server it seems (from reading through debug listings) that you need to add an "identification" file in the /home/xxx/.ssh2 directory on the unix side.. with the information listed on this url:

http://backuppc.sourceforge.net/faq/ssh.html

Scroll (or search) done to the "identification" section.

Also be aware that some Windows servers may prefer a DSA key format vs an RSA key format, when using ssh-keygen -t ... (haven't figured that one out yet...but at least this is working for now.)

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-5) was last changed on 05-Jan-2017 12:28 by jim