Shared Keys on Linux#
Here an example command-line:
$ ssh ndsuser@sh.svr.willeke.com "ls -l /var/nds/dib/*.TAO"
You do have to be in sh.svr.willeke.com as ndsuser, as the SSH configuration is unique for each shell account.
Here are the notes made to set this up on another host:
# Setting up password-less SSH access (Servers running OpenSSH -- EMR standard) ssh-keygen -t rsa ## only have to do this once # Repeat these steps on each remote system scp ~/.ssh/id_rsa.pub ndsuser@serverName.svr.wilelke.com:mykey.pub ssh ndsuser@serverName.svr.wilelke.com # Run these [command-lines] in the remote shell if [ ! -d ./.ssh ]; then mkdir ./.ssh; fi cat mykey.pub >> .ssh/authorized_keys rm mykey.pub
We worked with a client that was using F-Secure#
Here is what we did there.# Setting up password-less SSH access (For servers running F-Secure -- rare these days) # Convert the original OpenSSH key to v2 ssh-keygen -ef ~/.ssh/id_rsa.pub > ~/.ssh/my-secsh-key.pub scp ~/.ssh/my-secsh-key.pub ndsuser@serverName.svr.wilelke.com: ssh ndsuser@serverName.svr.wilelke.com # mv ./my-secsh-key.pub ./.ssh2/E017122.DTUSU33608RF.pub echo "Key E017122.DTUSU33608RF.pub">>./.ssh2/authorization
The Agent#
The Agent is the program, ssh-agent, that runs on the local machine and acts as your proxy when an ssh command requires a passphrase.
Normally you would type a password or passphrase when requested by ssh or scp. However, the agent can provide the passphrase for you. The trick is telling the SSH commands to get the passphrase from the agent rather than you. First you must ``prime the agent and then you must ``attach the agent to one or more processes.Priming the Agent
To ``prime the agent issue the following command-lines (on the local machine):
ssh_info_file=~/.ssh-agent-info-`hostname` ssh-agent >$ssh_info_file chmod 600 $ssh_info_file . $ssh_info_file ssh-add ~/.ssh/identity ssh-add ~/.ssh/id_dsa ssh-add ~/.ssh/id_rsa
Each ssh-add command will prompt you for the appropriate passphrase.
Note the output of hostname is appended to the name of the ssh agent info file. This distinguishes the name of the file from other instances of the file that may be created in a multi-host, shared home directory environment.
It's convenient to capture this sequence in a shell script:
- !/bin/bash
- Creates an ssh-agent, writes ssh agent info
- to the file '~/.ssh-agent-info-`hostname`' and then prompts
- user for keys. Then any shell can use the agent
- by sourcing the contents of ~/.ssh-agent-info-`hostname`:
- . ~/ssh-agent-info-`hostname`
ssh_info_file=~/.ssh-agent-info-`hostname` ssh-agent >$ssh_info_file chmod 600 $ssh_info_file . $ssh_info_file for i in identity id_dsa id_rsa do ssh-add .ssh/\$i done
Save this script as ssh_prime in your home directory. Now you can type:
source ssh_prime
You need only ``prime your agent once each time you reboot your machine. The agent will stay active across logins.
Now you should be able to connect, without entering a password, to all remote machines that have the public keys you generated earlier.
Note that the shell command source ssh_prime both primes the agent and attaches it to the current shell process (and its children). However, in some cases (example given below), you may need to explicitly attach the agent to a process after the agent has been primed. Some helpful on urls:
When doing this from a Solaris-to-Windows server it seems (from reading through debug listings) that you need to add an "identification" file in the /home/xxx/.ssh2 directory on the unix side.. with the information listed on this url:
http://backuppc.sourceforge.net/faq/ssh.html
Scroll (or search) done to the "identification" section.
Also be aware that some Windows servers may prefer a DSA key format vs an RSA key format, when using ssh-keygen -t ... (haven't figured that one out yet...but at least this is working for now.)