[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ssh logins

To: Open Mash Developers <openmash-developers@openmash.org>
Subject: ssh logins
From: Lloyd Lim <lim@bmrc.berkeley.edu>
Date: Mon, 18 Mar 2002 12:54:32 -0800
Organization: Open Mash Consortium
Sender: owner-openmash-developers@bmrc.berkeley.edu

This is a summary of how to set up your ssh configuration so you don't 
have to enter your password when logging into other BMRC machines.  
Passwords can be inconvenient when using CVS.  Our current Tinderbox 
configuration also requires password-less logins in order to run.

I'm sending this to openmash-developers because this info may be useful 
to others, there's no sensitive BMRC info in this message, and I want 
this info to be archived.  Eventually, this will go on our website when 
we get a web person again.

Please be aware that if you set up password-less logins and the file 
system is compromised, an intruder will be able to login as you at 
will.  This doesn't really make a difference for BMRC because all BMRC 
machines have the same logins.  But you shouldn't use the same ssh keys 
for BMRC and your personal accounts outside BMRC.

Anyway, here's how you do it...

For ssh 1:

Type 'ssh-keygen' to generate a key pair.  Save it in the default 
location.  Don't enter a passphrase.  (Just hit return.)  Copy your 
~/.ssh/identity.pub file to your ~/.ssh/authorized_keys file.  Make 
sure that no one else has write permission for your ~/.ssh directory 
and all of the files in it.

For ssh 2 with OpenSSH:

Type 'ssh-keygen -t rsa' or 'ssh-keygen -t dsa' or do both.  Again, 
save it in the default location and don't enter a passphrase.  Copy 
your ~/.ssh/id_rsa.pub or ~/.ssh/id_dsa.pub or both to your 
~/.ssh/authorized_keys2 file.  Again, make sure that no one else has 
write permission.

For ssh 2 with a commercial implementation:

Type 'ssh-keygen -e -f id_rsa.pub > id_rsa_1024_a.pub' or
'ssh-keygen -e -f id_dsa.pub > id_dsa_1024_a.pub' or do both to export 
your OpenSSH keys to the format used by commercial implementations.  
Move the new files to your ~/.ssh2 directory.  Create a 
'~/.ssh2/authorization' file containing:

key id_rsa_1024_a.pub
key id_dsa_1024_a.pub

You only need to include the lines for the key types that you are using.
Again, make sure that no one else has write permission for your ~/.ssh2 
directory and all of the files in it.


Yes, to get it working for all BMRC machines, you need all 3 different 
types of keys.


The ugly details you don't want to know...  Most people can stop 
reading here.

Ssh 1 and ssh 2 are obviously different.  Unfortunately, OpenSSH and 
the commercial ssh implementations also use different key formats.

As far as I know, all of our Linux and FreeBSD machines are running 
OpenSSH.  On Linux, sshd will look in both authorized_keys and 
authorized_keys2 for ssh 2 keys.  On FreeBSD, sshd will only look in 
authorized_keys2.  That's why you need an authorized_keys2 file.  Chema 
figured this out.

Odie, our Solaris machine, is running an ssh 1 client and a commercial 
ssh 2 server.  (I don't know why.)  That's why you need to export your 
keys to another format.  It's not hard, but it can be really confusing 
when a machine is not running the sshd version you expected it to be 
running.  I just figured this out.

The instructions above only converted your OpenSSH public keys to the 
commercial format.  If you had to deal with commercial ssh 2 clients, 
then you'd also need to convert your OpenSSH private keys and create a 
'~/.ssh2/identification' file.

For more information, see the FAQs on the www.openssh.com and 
www.ssh.com websites.

Lloyd

Prev by Date: Re: Open Mash
Next by Date: [Fwd: Kaleido Saved Layouts]
Prev by thread: Re: FW: [AG-TECH] TTL - Multicast
Next by thread: [Fwd: Kaleido Saved Layouts]
Index(es):
- Date
- Thread