Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
ssh key generation, cannot seems to get it right
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
DaggyStyle
Watchman
Watchman


Joined: 22 Mar 2006
Posts: 5909

PostPosted: Sun Apr 27, 2014 8:02 pm    Post subject: ssh key generation, cannot seems to get it right Reply with quote

might be the lack of sleeping hours but I cannot seems to get it right.

I have a server, I want to generate a key that I can pass to others and that will enable them to connect to the server without the need for password

what is the right way to do that?
_________________
Only two things are infinite, the universe and human stupidity and I'm not sure about the former - Albert Einstein
Back to top
View user's profile Send private message
John R. Graham
Administrator
Administrator


Joined: 08 Mar 2005
Posts: 10587
Location: Somewhere over Atlanta, Georgia

PostPosted: Sun Apr 27, 2014 8:56 pm    Post subject: Reply with quote

You've got it mostly backwards. You do need to generate a key on the server, but you've got to create a key on each of the clients that you want to be able to log in without a password. On each of them—server and client—the command is ssh-keygen. For instance:
Code:
ssh-keygen -t rsa -b 2048
From this command, you will get two files in the ~/.ssh directory:
  • id_rsa, and
  • id_rsa.pub
The .pub file is copied to the server's ~/.ssh directory (under a unique name; don't overwrite the server's id_rsa.pub) and appended to the ~/.ssh/authorized_keys file. This is what allows the server to recognize a particular client without a password.

Any questions, just ask. ;)

- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.
Back to top
View user's profile Send private message
DaggyStyle
Watchman
Watchman


Joined: 22 Mar 2006
Posts: 5909

PostPosted: Mon Apr 28, 2014 9:03 am    Post subject: Reply with quote

crap, isn't any other way to generate one public key on the server and distribute it to all clients?
_________________
Only two things are infinite, the universe and human stupidity and I'm not sure about the former - Albert Einstein
Back to top
View user's profile Send private message
krinn
Watchman
Watchman


Joined: 02 May 2003
Posts: 7470

PostPosted: Mon Apr 28, 2014 9:51 am    Post subject: Reply with quote

That's the over way of what you are asking.

You must generate public key on clients so you pass those public key to the server to allow clients to connect to your server.
So any clients must have a public key that you can register with the server.

And it's pretty easy to pass them to the server :
on each client, generate a key and
scp /home/username/~.ssh/id_rsa.pub server:/tmp/newkey && ssh server cat /tmp/newkey >> /home/username/.ssh/authorized_keys
Back to top
View user's profile Send private message
John R. Graham
Administrator
Administrator


Joined: 08 Mar 2005
Posts: 10587
Location: Somewhere over Atlanta, Georgia

PostPosted: Mon Apr 28, 2014 3:27 pm    Post subject: Reply with quote

DaggyStyle wrote:
crap, isn't any other way to generate one public key on the server and distribute it to all clients?
So, if one client is compromised, you want that compromise to affect (and require update of) all clients? It's the way it is for a reason.

- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.
Back to top
View user's profile Send private message
mv
Watchman
Watchman


Joined: 20 Apr 2005
Posts: 6747

PostPosted: Mon Apr 28, 2014 3:55 pm    Post subject: Reply with quote

There is ssh-copy-id (which essentially just automates what krinn has suggested).
Back to top
View user's profile Send private message
DaggyStyle
Watchman
Watchman


Joined: 22 Mar 2006
Posts: 5909

PostPosted: Mon Apr 28, 2014 5:44 pm    Post subject: Reply with quote

John R. Graham wrote:
DaggyStyle wrote:
crap, isn't any other way to generate one public key on the server and distribute it to all clients?
So, if one client is compromised, you want that compromise to affect (and require update of) all clients? It's the way it is for a reason.

- John


there is only one client and the key if for handshake authentication
_________________
Only two things are infinite, the universe and human stupidity and I'm not sure about the former - Albert Einstein
Back to top
View user's profile Send private message
John R. Graham
Administrator
Administrator


Joined: 08 Mar 2005
Posts: 10587
Location: Somewhere over Atlanta, Georgia

PostPosted: Mon Apr 28, 2014 5:50 pm    Post subject: Reply with quote

I guess I don't understand the hassle if "all the clients" is just one machine. Use ssh-keygen on the client machine, copy the public key over to the server and add to ~/.ssh/authorized_keys file as I, krinn, and mv have all described.

The key that allows you to log in without a password is the private key. However, it never leaves the client machine. The client's cryptographically related public key needs to be placed on the server machine by someone authorized to do so (you, I presume). The public key allows the server to authenticate messages signed by the client's private key, thus proving the client is trustworthy.

"Compromise", in this case, means that someone who's not authorized to have it gets hold of the client's private key. If they do, then they can log into your server without a password. The server can't compromise the private key because it doesn't have it.

- John
_________________
I can confirm that I have received between 0 and 499 National Security Letters.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum