I've been trying to do this for some time now--apparently if you read the man pages carefully enough you can figure this out. I thought I'd need a more advanced SSH client, but OpenSSH already has everything you need--the ssh-keygen program is key. Following is a brief walk-through of how to configure connection from client to server for SSH. Replace the words client and server as appropriate.
client$ ssh-keygen -t rsa
It will ask where to save, you want the default since this is where ssh will look. It will ask for a pass-phrase, and since we're trying to get around having to enter a pass-phrase, we don't want to protect our authentication, so just hit enter twice. Then it will give you a fingerprint and put files in your ~/.ssh directory.
Copy the ~/.ssh/id_rsa.pub to the server machine taking care not to overwrite the same file there:
client$ scp ~/.ssh/id_rsa.pub user@server.address:.ssh/client.pub
Now SSH to the server and add the public key to the authorized keys file like so:
server$ cd ~/.ssh
server$ cat client.pub >> authorized_keys
server$ rm client.pub
The SSH server won't let you use the key unless the file is secured. That is, the keys should only be readable by you.
server$ ls -l authorized_keys
-rw-rw-r-- 1 user users authorized_keys
server$ chmod og-rw authorized_keys
Now we should be able to open an SSH session simply by:
client$ ssh user@server.address
where you can omit the 'user@' part if the user names are the same on the local and remote machines.
Finally, note that doing all this means if you leave your machine open, an intruder has more doors they can open! This is why you should always lock and/or time-out your screen. If the key has no passphrase, then if someone copies it, they can gain access to the machine you opened with this procedure. Therefore, you should restrict access to your machine by configuring /etc/hosts.allow and /etc/hosts.deny. If you're concerned, don't let the passphrase for the key be null (use a passphrase). Taking these steps can help protect your key.
No comments:
Post a Comment