Sullivan3:[~] ssh firstname.lastname@example.org email@example.com's password: Last login: Mon Aug 8 13:33:58 2005 from flyrail.pacshop.dca.net This is a private computer system. Unauthorized access is pro- hibited. Information here is proprietary and confidential. Your identifying information and activities are being logged. Viola- tors will be prosecuted. twofer: [~]
Sullivan3:[~] scp test.mpg firstname.lastname@example.org: email@example.com's password: test.mpg 4% 144KB 67.4KB/s 00:43 ETA Sullivan3:[~] scp firstname.lastname@example.org:test.pl bin/ email@example.com's password: test.pl 100% 968 1.0KB/s 00:00
Sullivan3:[~] ssh firstname.lastname@example.org email@example.com's password: Last login: Tue Aug 9 00:06:08 2005 from pool-71-242-52-203.phlapa.east.verizon.net twofer: [~] firefox
tar cf - /home | ssh newbox 'tar xf -' tar cf - /home | ssh root@newbox '(cd /; tar xf -)' (a variant on the same theme)
. . X11Forwarding yes .
Run these commands to create the host keypairs (you could also do this on bootup). Change the comment used in the -C option to your desired comment.
ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N "" -C "mycomment"
ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N "" -C "mycomment"
ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N "" -C "mycomment"
From: firstname.lastname@example.org (Jonathan Baron) Newsgroups: upenn.linux Subject: Re: ssh connections without typing a password Date: 14 May 2001 17:47:22 GMT The first thing you do is this: ssh-keygen -x (note the lowercase -x, that was my mistake in the last message). It will ask you for the file to use - usually that should be just the default (.ssh/identity). This did not work, because .ssh/identity was not the right kind of file. So I had to say ssh-keygen -t dsa first. This generated a file called .ssh/id_dsa which was the one that had to be used in place of .ssh/identity. (In my case, I could not replace the latter since I needed it for other connections.) Type your passphrase if you have one. And the trick here is to leave this blank, if you want to connect without one. Now you should have gotten something on standard output that looks like this: ---- BEGIN SSH2 PUBLIC KEY ---- Comment: "1024-bit DSA, converted from OpenSSH by email@example.com" <base64-encoded key> ---- END SSH2 PUBLIC KEY ---- Copy and paste this into a file. l call it "alster.pub" after the name of my own computer. Or just redirect ssh-keygen's standard output to that file. Copy this file to the .ssh2 directory on the remote host and make sure that both this file and the .ssh2 directory are world-readable. As an example, and hopefully to clarify things, here are the contents of my .ssh2 directory on gradient and graphics. drwxr-xr-x 3 cvogler 512 Oct 5 2000 ./ drwxr-xr-x 20 cvogler 4096 May 13 13:38 ../ -rw-r--r-- 1 cvogler 727 Oct 5 2000 alster.pub -rw-r--r-- 1 cvogler 15 Oct 5 2000 authorization drwx------ 2 cvogler 512 Oct 5 2000 hostkeys/ -rw------- 1 cvogler 512 Oct 10 2000 random_seed So, now create the file "authorization" with world-readable permissions. Into this file, put the following contents: --- snip --- Key alster.pub --- snip --- (Adjust "alster.pub" according to what name you use.) Finally, one word of warning. Only use DSA authentication if your client operating system has a very good random number generator. According towhat I've heard, DSA authentication has a flaw in that a bad random number generator can compromise your private key. Linux should be fine in that regard, but I'd be leery of using it on Windows. From: firstname.lastname@example.org (Christian Vogler) Newsgroups: upenn.linux Subject: Re: ssh connections without typing a password Date: 14 May 2001 18:21:24 GMT Jonathan Baron (email@example.com) wrote: : Christian Vogler's suggestion worked, but it required one change, : so I reprint the whole thing (removing the >'s so that I am : allowed to post it) : Glad I could help. I have one comment: : Type your passphrase if you have one. : And the trick here is to leave this blank, if you want to connect : without one. I don't really recommend that, even if you absolutely trust your client. If anyone ever gets access to your private key file(s), all your accounts will be compromised. Nasty. The passphrase is there to prevent this thing from happening. Now, typing the passphrase every time you connect is annoying. But there is a solution: You can set up ssh such that you have to type the passphrase only once when you log in. This is what ssh-agent is for. It runs a process that manages the private keys for you. ssh will check if ssh-agent is running and defer private key authentication to it if applicable. Check man ssh-agent, man ssh-askpass, and man ssh-add for details. This approach combines the best of both worlds (security and convenience). - Christian