PDA

View Full Version : SSH keys and agents



forgie
22nd March 2007, 12:25 PM
I want to write some shell scripts to do various SSH jobs. I have two different servers, let's call them server1.net.au, and server2.net.au. For each server, I want to have shell scripts to

a) start an SSH shell session
b) open an SSH tunnel

Now I can easily do this using password authentication, but I want it to be automated. I have gone to each server (in person) and ran

ssh-keygen -t rsa

Then copied the resulting keys onto my USB drive, so I have two id_rsa files, one for each server.

What do I do with the keyfiles? I made them without a passphrase - would it be relatively trivial to use a passphrase and then use ssh-agent to somehow authenticate me?


Thanks in advance to the infinite pool of wisdom that is MTAU (I have a feeling that spectre might be the one who answers this Q!) :thumbup:

MacDave
22nd March 2007, 12:32 PM
http://invisiblepixels.org/progs/sshkeypairs.html

Note, there is a slight error on this page:

scp isa_dsa.pub root@server:.ssh/ <-this should be:

scp id_dsa.pub root@server:.ssh/

Also, look into SSH Tunnel Manager - http://www.macupdate.com/info.php/id/10128

Here's my ssh login from my G5 PM to one of the Xserves:

[c-24-5-195-238:~] dave% isis
Last login: Tue Mar 20 17:42:57 2007 from 192.168.0.6
Welcome to Isis, the XServe!
[Isis:~] polkadot%

"isis" is just a simple shell script:

[c-24-5-195-238:~] dave% cat /usr/local/bin/isis
ssh -l polkadot 192.168.0.2

Dave

Currawong
22nd March 2007, 12:37 PM
Basically, you keep id_dsa in ~/.ssh on your own machine...it's your private key.

id_dsa.pub get copied into authorized_keys on the remote machine.

MacDave
22nd March 2007, 12:41 PM
id_dsa.pub get copied into authorized_keys on the remote machine.

Actually, into authorized_keys2

The way this is done is cat id_dsa.pub >> authorized_keys2

Be sure to use >> rather than > so that you can append keys to your authorized_keys2 file rather than overwriting it which > would do.

Dave

Currawong
22nd March 2007, 12:57 PM
You can put it in either. There used to be different files for different key types but that was abolished some time ago.

forgie
22nd March 2007, 01:07 PM
OK, so I've done it the wrong way around? So I really have to run

ssh-keygen -t rsa -C "user@my.remote.server.com"

Then take ~/.ssh/id_rsa.pub from my local computer, and append it to ~/.ssh/authorized_keys2 on my server? Is that it? I would have to do this once for each server, and just change the "user@my.remote.server.com" for each one, is that right?

What happens when I have keys for multiple servers? Where do the different keys go?

forgie
22nd March 2007, 08:38 PM
OK, it's all working now. I just had to run ssh-keygen -t rsa on my Macbook, then append id_rsa.pub to authorized_keys2 on each of the servers. Simple. Oh, and I also had to delete references to those servers in "known hosts" on my macbook - until I did that, I got a warning message saying that I may have been hacked or something.

Thanks for the tips guys.