View previous topic :: View next topic |
Author |
Message |
DaggyStyle Watchman
Joined: 22 Mar 2006 Posts: 5909
|
Posted: Sun Apr 27, 2014 8:02 pm Post subject: ssh key generation, cannot seems to get it right |
|
|
might be the lack of sleeping hours but I cannot seems to get it right.
I have a server, I want to generate a key that I can pass to others and that will enable them to connect to the server without the need for password
what is the right way to do that? _________________ Only two things are infinite, the universe and human stupidity and I'm not sure about the former - Albert Einstein |
|
Back to top |
|
|
John R. Graham Administrator
Joined: 08 Mar 2005 Posts: 10587 Location: Somewhere over Atlanta, Georgia
|
Posted: Sun Apr 27, 2014 8:56 pm Post subject: |
|
|
You've got it mostly backwards. You do need to generate a key on the server, but you've got to create a key on each of the clients that you want to be able to log in without a password. On each of them—server and client—the command is ssh-keygen. For instance: Code: | ssh-keygen -t rsa -b 2048 | From this command, you will get two files in the ~/.ssh directory:The .pub file is copied to the server's ~/.ssh directory (under a unique name; don't overwrite the server's id_rsa.pub) and appended to the ~/.ssh/authorized_keys file. This is what allows the server to recognize a particular client without a password.
Any questions, just ask.
- John _________________ I can confirm that I have received between 0 and 499 National Security Letters. |
|
Back to top |
|
|
DaggyStyle Watchman
Joined: 22 Mar 2006 Posts: 5909
|
Posted: Mon Apr 28, 2014 9:03 am Post subject: |
|
|
crap, isn't any other way to generate one public key on the server and distribute it to all clients? _________________ Only two things are infinite, the universe and human stupidity and I'm not sure about the former - Albert Einstein |
|
Back to top |
|
|
krinn Watchman
Joined: 02 May 2003 Posts: 7470
|
Posted: Mon Apr 28, 2014 9:51 am Post subject: |
|
|
That's the over way of what you are asking.
You must generate public key on clients so you pass those public key to the server to allow clients to connect to your server.
So any clients must have a public key that you can register with the server.
And it's pretty easy to pass them to the server :
on each client, generate a key and
scp /home/username/~.ssh/id_rsa.pub server:/tmp/newkey && ssh server cat /tmp/newkey >> /home/username/.ssh/authorized_keys |
|
Back to top |
|
|
John R. Graham Administrator
Joined: 08 Mar 2005 Posts: 10587 Location: Somewhere over Atlanta, Georgia
|
Posted: Mon Apr 28, 2014 3:27 pm Post subject: |
|
|
DaggyStyle wrote: | crap, isn't any other way to generate one public key on the server and distribute it to all clients? | So, if one client is compromised, you want that compromise to affect (and require update of) all clients? It's the way it is for a reason.
- John _________________ I can confirm that I have received between 0 and 499 National Security Letters. |
|
Back to top |
|
|
mv Watchman
Joined: 20 Apr 2005 Posts: 6747
|
Posted: Mon Apr 28, 2014 3:55 pm Post subject: |
|
|
There is ssh-copy-id (which essentially just automates what krinn has suggested). |
|
Back to top |
|
|
DaggyStyle Watchman
Joined: 22 Mar 2006 Posts: 5909
|
Posted: Mon Apr 28, 2014 5:44 pm Post subject: |
|
|
John R. Graham wrote: | DaggyStyle wrote: | crap, isn't any other way to generate one public key on the server and distribute it to all clients? | So, if one client is compromised, you want that compromise to affect (and require update of) all clients? It's the way it is for a reason.
- John |
there is only one client and the key if for handshake authentication _________________ Only two things are infinite, the universe and human stupidity and I'm not sure about the former - Albert Einstein |
|
Back to top |
|
|
John R. Graham Administrator
Joined: 08 Mar 2005 Posts: 10587 Location: Somewhere over Atlanta, Georgia
|
Posted: Mon Apr 28, 2014 5:50 pm Post subject: |
|
|
I guess I don't understand the hassle if "all the clients" is just one machine. Use ssh-keygen on the client machine, copy the public key over to the server and add to ~/.ssh/authorized_keys file as I, krinn, and mv have all described.
The key that allows you to log in without a password is the private key. However, it never leaves the client machine. The client's cryptographically related public key needs to be placed on the server machine by someone authorized to do so (you, I presume). The public key allows the server to authenticate messages signed by the client's private key, thus proving the client is trustworthy.
"Compromise", in this case, means that someone who's not authorized to have it gets hold of the client's private key. If they do, then they can log into your server without a password. The server can't compromise the private key because it doesn't have it.
- John _________________ I can confirm that I have received between 0 and 499 National Security Letters. |
|
Back to top |
|
|
|