Secure Shell (SSH) is a secure
replacement for telnet, rlogin, rsh, and rcp and more. It uses encryption to keep information that you send over
the network from being seen by others. It also uses public
and private keys to validate that the host
and client machines are who they say they are.
22-Nov-2006
There are two methods to set up password bypass. (1) RSA/Host method: this method works for most users. (2) RSA/User method: for sites that has stricter access cotrol, try this method.
A. ~/.ssh/known_hosts
B. ~/.rhosts
In most cases, setting these two files are enough to avoid
providing password interactively. In case this method does not work,
try the RSA/User authentication method in the later section.
from the remote machineAnswer 'yes' to add a host key to the ~/.ssh/know_hosts file on the remote machine. Without these host key, SSH request will be rejected.
$ ssh <client-machine> date
Host key not found from the list of known hosts.
Are you sure you want to continue connecting (yes/no)?
yes
<host address1> <uid1>For example:
<host address2> <uid2>
...
morgan11.slac.stanford.edu mark
shire01.slac.stanford.edu mark
[Note]: This step is optional, the default is providing the password with the keyboard.
To bypass the password prompt to facilitate commands such as ufsdump and mt, set up the ~/.rhosts on the remote machine (server). From now on the password will be bypassed when you run 'ssh' from that remote machine to the target machine.
Protocol 1: [not recommended for connection via SSH]
From client [where one runs ssh]
$ ssh-keygen -t rsa1 [create public key ~/.ssh/identity.pub]
$ scp ~/.ssh/identify.pub <server>:~ [copy public key to server]
From server
$ cat ~/identity.pub >> .ssh/authorized_keys
From client
$ ssh-agent csh [start a new session with agent]
> ssh-add [add .ssh/identity to ssh-agent]
> ssh <server> date [test it]
Protocol 2: [recommended for connection via SSH]
From client [where one runs ssh]
$ ssh-keygen -t rsa [create public key ~/.ssh/id_rsa.pub]
$ scp ~/.ssh/id_rsa.pub <server>:~ [copy public key to server]
From server
$ cat ~/id_rsa.pub >> .ssh/authorized_keys [append key to server]
From client
$ ssh-agent csh [start a new session with agent]
> ssh-add [add .ssh/identity to ssh-agent]
> ssh -2 <server> date [test it]
sshd is very fussy about file permissions. sshd insists on keeping the list of
where someone can log in from a secret and the permissions need to be set as follows:
chmod 700 ~/.ssh
chmod 600 ~/.ssh/authorized_keys
logon to client machine [where one runs ssh]Logon to the client machine and run ssh-keygen to create pair of RSA keys. When prompted for a passphrase, select one that is hard to guess. The public key will be created in ~/.ssh/identity.pub, the private key will be created in ~/.ssh/identity.
ssh-keygen -t rsa1 [create keys]
logon to the server machineLogon to the server machine and add the public keys from client machine's ~/.ssh/identity.pub to server machine's ~/.ssh/authorized_keys. The list of public keys stored in this file will enable server to grant connection request from the client.
emacs ~/.ssh/authorized_keys [add keys]
from the client machine [where one runs ssh]From the client machine, type ssh-agent csh to create a csh session. One can also replace 'bash' with tcsh, csh, startx, xterm, etc. The purpose of running ssh-agent is to avoid typing the passphrase interactively. Ssh-agent provides keys automatically.
ssh-agent bash [run bash under ssh-agent]
One should then run ssh from these window/process that were spawned with ssh-agent to take advantage of the auto-supply of the private keys. The ssh-agent is not running as separate process, each user must create his own window/process under his own ssh-agent.
from the client machine [where one runs ssh]From the process under ssh-agent on the client machine, type ssh-add to copy ~/.ssh/identity to ssh agent. One can also type 'ssh-add -l' to display the private keys in the agent or 'ssh-add -d <file>' to delete keys from the agent.
ssh-add [add .ssh/identity to agent]
Once the private key of a client machine is held by the agent, the interactive passphrase dialog will be bypassed.
logon to client machine [where one runs ssh]Logon to the client machine and run ssh-keygen to create pair of RSA keys. When prompted for a passphrase, select one that is hard to guess. The public key will be created in ~/.ssh/id_rsa.pub, the private key will be created in ~/.ssh/id_rsa.
ssh-keygen -t rsa [create keys]
logon to the server machineLogon to the server machine and add the public keys from client machine's ~/.ssh/id_rsa.pub to server machine's ~/.ssh/authorized_keys. The list of public keys stored in this file will enable server to grant connection request from the client.
emacs ~/.ssh/authorized_keys [add keys]
or
cat ~/.ssh/id_rsa.pub | ssh user@machine "cat - >>.ssh/authorized_keys"
from the client machine [where one runs ssh]From the client machine, type ssh-agent csh to create a csh session. One can also replace 'csh' with tcsh, startx, xterm, etc. The purpose of running ssh-agent is to avoid typing the passphrase interactively. Ssh-agent provides keys automatically.
ssh-agent basg [run bash under ssh-agent]
One should then run ssh from these window/process that were spawned with ssh-agent to take advantage of the auto-supply of the private keys. The ssh-agent is not running as separate process, each user must create his own window/process under his own ssh-agent.
from the client machine [where one runs ssh]From the process under ssh-agent on the client machine, type ssh-add to copy ~/.ssh/id_rsa to ssh agent. One can also type 'ssh-add -l' to display the private keys in the agent or 'ssh-add -d <file>' to delete keys from the agent.
ssh-add [add .ssh/identity to agent]
Once the private key of a client machine is held by the agent, the interactive passphrase dialog will be bypassed. Use 'ssh -2' to activate the SSH authentication protocol 2.