Keyless ssh / ssh-keygen: setup and gotchas
If you ssh into a server a lot, you'll get tired of typing in your password over and over again pretty quickly. Fortunately, you can generate a set of public and private keys on your local client machine, place the public key on the server, and ssh without having to enter a password. Here's how.
1) Generate your keys
jknight@localmachine:~$ ssh-keygen -t rsa (generate an rsa key)
Generating public/private rsa key pair.
Enter file in which to save the key (/home/jknight/.ssh/id_rsa):
Created directory '/home/jknight/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/jknight/.ssh/id_rsa.
Your public key has been saved in /home/jknight/.ssh/id_rsa.pub.
The key fingerprint is:
1f:bf:a8:1f:bf:a8:1f:bf:a8:1f:bf:a8:1f:bf:a8:1f jknight@localmachine
jknight@localmachine:~$
2) Find the keys you just created in your home .ssh directory
jknight@localmachine:~$ cd .ssh (go into the new .ssh directory you just created)
jknight@localmachine:~/.ssh$ ls (look for your 2 keys: one private and one public)
id_rsa id_rsa.pub
3) Use scp to put your public key on the server
jknight@localmachine:~/.ssh$ scp id_rsa.pub remoteUserName@remoteserver.com:~/
The authenticity of host 'remoteserver.com (192.168.1.3)' can't be established.
RSA key fingerprint is 65:fe:34:65:fe:34:65:fe:34:65:fe:34:65:fe:34:65.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'remoteserver.com,192.168.1.3' (RSA) to the list of known hosts.
remoteUserName@remoteserver.com's password:
id_rsa.pub 100%
4) ssh on to the server to put your public key in the right place
jknight@localmachine:~/.ssh$ ssh -l remoteUserName remoteserver.com
remoteUserName@remoteserver.com's password:
Linux remoteserver 2.6.17-11-generic #2 SMP Fri May 18 22:25:27 UTC 2007 x86_64
5) Add your public key to the authorized_keys file on the server in the hidden .ssh directory
remoteUserName@remoteserver:~$ mkdir .ssh (if the .ssh directory doesn't exist, create it)
(now for the important steps: ADD your public key to the authorized_keys file ...)
remoteUserName@remoteserver:~/.ssh$ cat id_rsa.pub >> .ssh/authorized_keys
(finally, the big 'gotcha': make sure permissions are correct on the authorized_keys file)
remoteUserName@remoteserver:~/.ssh$ chmod 600 authorized_keys
6) All set?
Open a shell on your local machine, and you should now be able to ssh without typing in a password
jknight@shadowbox:~/.ssh$ ssh -l remoteUserName remoteserver.com
Linux galadriel 2.6.17-11-generic #2 SMP Fri May 18 22:25:27 UTC 2007 x86_64
success!
Notes
These are all equivalent ways to ssh to a server:
ssh -l remoteUserName remoteserver.com
ssh -lremoteUserName remoteserver.com
ssh remoteUserName@remoteserver.com
scp syntax can take some getting used to. To put a file out to a server use the following. You can specify the target file name, or just the directory:
scp /local/path/file.txt remoteUserName@remoteserver.com:/remote/server/path/
scp /local/path/file.txt remoteUserName@remoteserver.com:/remote/server/path/out.txt
To get a file from a remote server, use:
scp remoteUserName@remoteserver.com:/remote/server/path/file.txt /local/file/path
1) Generate your keys
jknight@localmachine:~$ ssh-keygen -t rsa (generate an rsa key)
Generating public/private rsa key pair.
Enter file in which to save the key (/home/jknight/.ssh/id_rsa):
Created directory '/home/jknight/.ssh'.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/jknight/.ssh/id_rsa.
Your public key has been saved in /home/jknight/.ssh/id_rsa.pub.
The key fingerprint is:
1f:bf:a8:1f:bf:a8:1f:bf:a8:1f:bf:a8:1f:bf:a8:1f jknight@localmachine
jknight@localmachine:~$
2) Find the keys you just created in your home .ssh directory
jknight@localmachine:~$ cd .ssh (go into the new .ssh directory you just created)
jknight@localmachine:~/.ssh$ ls (look for your 2 keys: one private and one public)
id_rsa id_rsa.pub
3) Use scp to put your public key on the server
jknight@localmachine:~/.ssh$ scp id_rsa.pub remoteUserName@remoteserver.com:~/
The authenticity of host 'remoteserver.com (192.168.1.3)' can't be established.
RSA key fingerprint is 65:fe:34:65:fe:34:65:fe:34:65:fe:34:65:fe:34:65.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'remoteserver.com,192.168.1.3' (RSA) to the list of known hosts.
remoteUserName@remoteserver.com's password:
id_rsa.pub 100%
4) ssh on to the server to put your public key in the right place
jknight@localmachine:~/.ssh$ ssh -l remoteUserName remoteserver.com
remoteUserName@remoteserver.com's password:
Linux remoteserver 2.6.17-11-generic #2 SMP Fri May 18 22:25:27 UTC 2007 x86_64
5) Add your public key to the authorized_keys file on the server in the hidden .ssh directory
remoteUserName@remoteserver:~$ mkdir .ssh (if the .ssh directory doesn't exist, create it)
(now for the important steps: ADD your public key to the authorized_keys file ...)
remoteUserName@remoteserver:~/.ssh$ cat id_rsa.pub >> .ssh/authorized_keys
(finally, the big 'gotcha': make sure permissions are correct on the authorized_keys file)
remoteUserName@remoteserver:~/.ssh$ chmod 600 authorized_keys
6) All set?
Open a shell on your local machine, and you should now be able to ssh without typing in a password
jknight@shadowbox:~/.ssh$ ssh -l remoteUserName remoteserver.com
Linux galadriel 2.6.17-11-generic #2 SMP Fri May 18 22:25:27 UTC 2007 x86_64
success!
Notes
These are all equivalent ways to ssh to a server:
ssh -l remoteUserName remoteserver.com
ssh -lremoteUserName remoteserver.com
ssh remoteUserName@remoteserver.com
scp syntax can take some getting used to. To put a file out to a server use the following. You can specify the target file name, or just the directory:
scp /local/path/file.txt remoteUserName@remoteserver.com:/remote/server/path/
scp /local/path/file.txt remoteUserName@remoteserver.com:/remote/server/path/out.txt
To get a file from a remote server, use:
scp remoteUserName@remoteserver.com:/remote/server/path/file.txt /local/file/path
Categories
How To , Technology0 TrackBacks
Listed below are links to blogs that reference this entry: Keyless ssh / ssh-keygen: setup and gotchas.
TrackBack URL for this entry: http://www.rootsilver.com/mt-tb.cgi/39
The permissions certainly seem to be the major problem.
We had to use chmod 755 in order to get both scp and SFTP working:
chmod -R 755 /cbs
When receiving this error:
Request for subsystem 'sftp' failed on channel 0
Here are some solutions:
1. Have a look into /etc/sshd_config. Is the path to sftp-server correct? (|Subsystem sftp /usr/sbin/sftp-server)|
2. When receiving this error, make sure to check the permissions of sftp-server. In this case, the
permissions on the directory containing sftp-server were incorrect:
# grep sftp-server /usr/local/etc/sshd_config
Subsystem sftp /usr/local/libexec/sftp-server
# ls -ld /usr/local/libexec /usr/local/libexec/sftp-server
drwx------ 2 root other 512 Oct 7 2003 /usr/local/libexec
-rwxr-xr-x 1 root other 28292 Oct 7 2003 /usr/local/libexec/sftp-server
To correct the problem:
chmod 755 /usr/local/libexec
3. then the remote host is running SSH version 2, but they don't have the sftp server enabled
(OpenSSH ships its sftp server disabled by default)
A word of warning:
If you set the permissions too open on the folder /etc/ssh, SSH will not start. You will receive:
"Permissions 0755 for 'etc/ssh/ssh_hosts_dsa_key' are too open."
Just change the permissions back:
chmod -R 600 /usr/ssh (this is on AIX)