لطفا منتظر باشید ...
Recipe 6.4 Authenticating by Public Key (OpenSSH)
6.4.1 Problem
You want to set up
public-key
authentication between an OpenSSH client and an OpenSSH
server.
6.4.2 Solution
- Generate a key if necessary:
$ mkdir -p ~/.ssh If it doesn't already exist
$ chmod 700 ~/.ssh
$ cd ~/.ssh
$ ssh-keygen -t dsa - Copy the public key to the remote host:
$ scp -p id_dsa.pub remoteuser@remotehost:
Password: ******** - Log into the remote host and install the public key:
$ ssh -l remoteuser remotehost
Password: ********
remotehost$ mkdir -p ~/.ssh If it doesn't already exist
remotehost$ chmod 700 ~/.ssh
remotehost$ cat id_dsa.pub >> ~/.ssh/authorized_keys (Appending)
remotehost$ chmod 600 ~/.ssh/authorized_keys
remotehost$ mv id_dsa.pub ~/.ssh Optional, just to be organized
remotehost$ logout - Log back in via public-key
authentication:$ ssh -l remoteuser remotehost
Enter passphrase for key '/home/smith/.ssh/id_dsa': ********
|
6.4.3 Discussion
Public-key authentication lets you prove your identity to a remote
host using a cryptographic key instead of a login password. SSH keys
are more secure than passwords because keys are never transmitted
over the network, whereas passwords are (albeit encrypted). Also,
keys are stored encrypted, so if someone steals yours,
it's useless without the passphrase for decrypting
it. A stolen password, on the other hand, is immediately usable.An SSH
"key" is actually a matched pair of
keys stored in two files. The private or secret key remains on the
client machine, encrypted with a passphrase. The public key is copied
to the remote (server) machine. When establishing a connection, the
SSH client and server perform a complex negotiation based on the
private and public key, and if they match (in a cryptographic sense),
your identity is proven and the connection succeeds.To set up public-key authentication, first create an OpenSSH key
pair, if you don't already have
one:
$ ssh-keygen -t dsa
Generating public/private dsa key pair.
Enter file in which to save the key (/home/smith/.ssh/id_dsa): <RETURN>
Enter passphrase (empty for no passphrase): *******
Enter same passphrase again: *******
Your identification has been saved in id_dsa
Your public key has been saved in id_dsa.pub.
The key fingerprint is: 76:00:b3:e8:99:1c:07:9b:84:af:67:69:b6:b4:12:17 smith@mymachine
Copy the public key to the remote host using password authentication:
$ scp ~/.ssh/id_dsa.pub remoteuser@remotehost:
Password: *********
id_dsa.pub 100% |*****************************| 736 00:03
Log into the remote host using password authentication:
$ ssh -l remoteuser remotehost
Password: ********
If your local and remote usernames are the same, you can omit the
-l remoteuser part and just type ssh
remotehost.On the remote host, create the
~/.ssh directory if it
doesn't already exist and set its mode
appropriately:
remotehost$ mkdir -p ~/.ssh
remotehost$ chmod 700 ~/.ssh
Then append the contents of id_dsa.pub
to
~/.ssh/authorized_keys:
remotehost$ cat id_dsa.pub >> ~/.ssh/authorized_keys (Appending)
remotehost$ chmod 600 ~/.ssh/authorized_keys
Log out of the remote host and log back in. This time
you'll be prompted for your key passphrase instead
of your password:
$ ssh -l remoteuser remotehost
Enter passphrase for key '/home/smith/.ssh/id_dsa': *******
and you're done! If things aren't
working, rerun ssh with the -v
option (verbose) to help diagnose the problem.The SSH
server must be configured to
permit public-key authentication, which is the default:
/etc/ssh/sshd_config:
PubkeyAuthentication yes If no, change it and restart sshd
For more convenience, you can eliminate the passphrase prompt using
ssh-agent
[Recipe 6.9] and create host aliases in
~/.ssh/config. [Recipe 6.12]
6.4.4 See Also
ssh(1),
scp(1), ssh-keygen(1).
