OpenSSH: SSH Key Exchange
Introduction
SSH key exchange is great for logging in without having to type your password. It’s also very simple to set up.
Basic
Server
On the server, the user account to which the client will connect (for example root) must have the .ssh directory present:
|
|
Client
On the client, you need to generate a key pair, unless you already have one (~/.ssh/id_dsa.pub):
|
|
|
|
Then, you need to send the key to the server:
|
|
or
|
|
Now, if we connect to the server, we won’t be prompted for a password:
|
|
Change ssh key passphrase
You can change your ssh passphrase:
|
|
Complex with restrictions
If, for example, you don’t want root to be accessible from anywhere, you need to perform a basic key exchange between the client machine and the server, then edit the following on the server:
- The OpenSSH server configuration file
/etc/ssh/sshd_config
:
|
|
- The authorized key file
/root/.ssh/authorized_keys
:
|
|
Finally, restart OpenSSH :). Now, only the machine at 10.0.0.1 will be authorized to connect directly as root and only via the key.
If you have multiple machines or hosts to add, separate them with commas.
ssh-add
ssh-add1 is a tool that allows you to have an SSH private key with a passphrase and not have to type it each time, but simply once during the first use. There is also an X counterpart called ssh-askpass. It’s also possible to define a timeout:
|
|
So here, after an hour, you’ll need to enter the passphrase again.
FAQ
Authentication refused: bad ownership or modes for directory
If you encounter this type of error:
|
|
You have permission problems in your user’s home directory. Check that it has permissions like 755. If it’s not possible to change the permissions, then you need to tell SSH to be less restrictive about permissions. You need to modify the file /etc/ssh/sshd_config
and add this option:
|
|
Disabling protocol version 1. Could not load host key
I had this small issue, particularly with the Xen Enterprise live CD for performing P2Vs. I wanted to connect remotely to check the progress of the migration. I needed to generate SSH keys to start the server. Here’s the procedure:
|
|
And there you go, the problem of the server with missing keys is resolved :)
I can’t change the root password and I absolutely want to connect to the machine
Be careful with this technique because anyone will be able to connect. But for the more adventurous among you, modify these parameters:
|
|
Restart your SSH service, and there you go, your server is now completely insecure :)
Resources
Last updated 25 Oct 2013, 09:02 CEST.