BLAH-BLAH > IT > Notes > OpenSSH

OpenSSH

Login using a certificate

Do this if you want to connect to a host using ssh without having each time to write the login password.

  • Install ssh on both source and target hosts with emerge -v openssh
  • Modify the ssh configuration located in /etc/ssh/ssh_config, especially if you don't want a root user to login.
  • Execute ssh-keygen -t dsa (leave the "-t dsa" out if you prefer the default algorithm - change the next parts with the generated files accordingly) on the source host. Don't enter any options - leave everything as is:


ssh-keygen
Generating public/private dsa key pair.
Enter file in which to save the key (/root/.ssh/id_dsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_dsa.
Your public key has been saved in /root/.ssh/id_dsa.pub.
The key fingerprint is:
bb:8c:d4:e5:99:00:8h:3a:1a:a4:b7:52:60:72:4c:4f root@localhost

  • Now, if you have a look in your [home]/.ssh directory, you'll see two new files: id_dsa which is your private key (the file shouldn't allow any kind of access apart from the owner - change it with chmod 600 id_dsa if it's not like that) and id_dsa.pub, which is the public one (can be readable by anyone, but writable only by the owner).
  • Create on the target host the directory [home]/.ssh (do afterwards a chmod 700 .ssh, so that you're sure that only the owner can change stuff in there!) if it doesn't exist yet, and create as well a file called authorized_keys. Check that the file can be written only by the owner.
  • Copy on the source host the contents of the file id_dsa.pub and insert it on the target host into the file authorized_keys.


Think that anybody who is able to read the your private key (id_dsa) will be able to log into your target host!!!

X forwarding

This will make you able to start X applications on your remote machine and display their graphical output on your local machine!
All you have to do is edit the config file /etc/ssh/sshd_config and change...
X11Forwarding no
...to...
X11Forwarding yes
...and restart sshd with /etc/init.d/sshd restart (command will be different if not using Gentoo).
Now when connecting to the remote machine add the flag -X and afterwards start from the command line your graphical program (if -X does not work, try out the -Y flag and eventually play around with the xhost settings).

The full guide is here.

Notes

  • Set "ChallengeResponseAuthentication" to "no" in sshd_conf to avoid that users can login using ssh using the password-challenge. Only a known public certificate will allow the login.