Home

Trusted Authentication with openSSH


Tags: 

                                  
1. cd to '.ssh' directory in the home directory of the user you wish to create
keys for.  If the directory is not there, create it and 'chmod 700 .ssh'

2. create 1024 bit dsa key

ssh-keygen -t dsa -b 1024

where type is '-t dsa' and bits are '-b 1024'

3. When prompted for values, generally use the default names.  This will 
generate two files in the .ssh directory:

id_dsa      (private key file)
id_dsa.pub  (public key file)

4. enter an empty passphrase unless you wish to require a password with the key. 

5. Copy the public key file (id_dsa.pub) to the remote host you would like to 
authenticate against.

6. Rename, copy, or append the public key file or contents to "authorized_keys2"
and place it in the .ssh directory of the user home on the remote host.

*All public keys are stored in "authorized_keys2"; so you should APPEND the 
contents of the id_dsa.pub file to an existing authorized_keys2 file to not
overwrite any other previously configured authentication

---------------------------------------------------------------------------------
example
---------------------------------------------------------------------------------

myuser@myserver
% cd ~/.ssh

myuser@myserver
% ssh-keygen -t dsa -b 1024

Generating public/private dsa key pair.

Enter file in which to save the key (/u01/home/myuser/.ssh/id_dsa):

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /u01/home/myuser/.ssh/id_dsa.

Your public key has been saved in /u01/home/myuser/.ssh/id_dsa.pub.

The key fingerprint is:

aa:82:47:56:35:b3:9f:4e:d0:89:c1:a8:dc:b6:43:cb myuser@myserver

myuser@myserver
% 
 
---------------------------------------------------------------------------------
listing of the .ssh directoy.

 
drwx------   2 myuser  sysadmin     512 Nov 29 13:58 ./
drwxr-xr-x  34 myuser  sysadmin    2048 Dec  6 09:47 ../
-rw-r--r--   1 myuser  sysadmin    1816 Jul  5 10:59 authorized_keys2
-rw-------   1 myuser  sysadmin     668 Jun  4  2002 id_dsa
-rw-r--r--   1 myuser  sysadmin     604 Jun  4  2002 id_dsa.pub
-rw-r--r--   1 myuser  sysadmin   60777 Nov 18 13:11 known_hosts2
-rw-------   1 myuser  sysadmin    1024 Dec  7 00:05 prng_seed

authorized_keys2        stores public keys copied from remote hosts
id_dsa                  ssh version 2 private key for current host
id_dsa.pub              public key to copy to remote host
known_hosts2            stores all fingerprints of remote hosts that have been             
                        visited 

---------------------------------------------------------------------------------
troubleshooting
---------------------------------------------------------------------------------

If ssh is still prompting for a password to authenticate, check permissions on 
the home directory and .ssh directory.  ssh will deny if the permissions on one
or both directories are too open (typically 700 is used).
  
Another common problem is that the user's shell account is not a valid shell 
listed in the /etc/shells file. This occurs most often when the account is an
 application account, the shell is 'false' or 'true' and the account is locked 
(*LK*).  Just add '/path/false' or '/path/true' to /etc/shells.  If the user's
account is locked (*LK* in /etc/shadow), the key will not work.  Changing the
entry from:

mysql:*LK*:::::::
to
mysql:NP:::::::

corrects this.

---------------------------------------------------------------------------------

»