This is needed to:
- Move from a system's user to another system's user without typing the password.
- Allow automatic scripts to execute remote commands or copy / move data from one system to another.
- If the user account you use to connect to remote systems is hacked, all your systems might be compromised.
- Do not allow root user to remotely connect without password unless necessary, for the risk is higher.
- The configuration is not bidirectional. You must do all the steps to configure the connection back from the remote to the local system.
The steps are:
- Create a pair of keys (public and private) in the user's home of the system you will use to connect to the remote system. The command to use is ssh-keygen.
You can change the filenames where your keys will be stored.
When asked about the passphrase, keep it empty, otherwise it will be required when establishing a connection to the remote system.
sergio@odin:~$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/sergio/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/sergio/.ssh/id_rsa.
Your public key has been saved in /home/sergio/.ssh/id_rsa.pub.
The key fingerprint is:
ce:bb:e5:75:e4:8f:23:67:09:12:c8:9c:39:ad:3e:bd sergio@odin
The key's randomart image is:
+--[ RSA 2048]----+
| |
| |
| o = |
| B o |
| So . . |
| o. . .o |
| .o.....o. |
| o+....=o |
| ooE. +...|
+-----------------+ - A directory .ssh will be created, containing the two files. Be aware of keeping the permissions of the private key file (id_rsa) readable only by the owner.
sergio@odin:~$ ls -l .ssh
total 8
-rw------- 1 sergio sergio 1679 ago 15 11:46 id_rsa
-rw-r--r-- 1 sergio sergio 393 ago 15 11:46 id_rsa.pub - Append the content of the public key file (id_rsa.pub) to the file ~/.ssh/authorized_keys of the remote system. To do so, you might send it by e-mail, copy and paste, remote copy to a temporary file or use the ssh-copy-id tool, which will do all the work.
sergio@odin:~$ ssh-copy-id coord@mudel
The authenticity of host 'mudel (192.168.56.1)' can't be established.
RSA key fingerprint is 0c:48:50:6c:67:df:1f:8c:ac:22:c2:ee:0b:a8:98:55.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'mudel,192.168.56.1' (RSA) to the list of known hosts.
coord@mudel's password:
Now try logging into the machine, with "ssh 'coord@mudel'", and check in:
~/.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting. - The first time you establish a SSH connection, the fingerprint of the origin system will be shown and you will be asked if it should be append to the ~/.ssh/known_hosts file of the remote system. Answer yes.
- Now try to connect.
sergio@odin:~$ ssh coord@mudel
Linux mudel 2.6.32-5-686 #1 SMP Tue Mar 8 21:36:00 UTC 2011 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Aug 15 12:07:26 2012
coord@mudel:~$
No comments:
Post a Comment