Difference between revisions of "Ssh simple explanation"
From Finninday
(Created page with "No matter how many times I configure ssh keys, I rarely have the process go smoothly. It is time to write down how it works so I can get it straight in my head. ===Moving piece…") |
(→Troubleshooting) |
||
| (4 intermediate revisions by the same user not shown) | |||
| Line 2: | Line 2: | ||
===Moving pieces=== | ===Moving pieces=== | ||
| + | * ssh-agent : this is client software that can hold credentials for use when connecting to remote hosts, allowing passwordless entry. Use looks like: <tt>ssh-agent bash</tt> then <tt>ssh-add</tt>. Often, X sessions can be used as the ssh-agent and configured to prompt when it needs to perform an ssh-add. | ||
* private key : generate this with <tt>ssh-keygen</tt>. It must have 0600 permissions and usually lives in ~/.ssh | * private key : generate this with <tt>ssh-keygen</tt>. It must have 0600 permissions and usually lives in ~/.ssh | ||
* public key : generate this with <tt>ssh-keygen</tt>. It must have 0600 permissions and usually lives in ~/.ssh. This file should be distributed to remote hosts and placed in the authorized keys files to allow ssh access to that remote host. | * public key : generate this with <tt>ssh-keygen</tt>. It must have 0600 permissions and usually lives in ~/.ssh. This file should be distributed to remote hosts and placed in the authorized keys files to allow ssh access to that remote host. | ||
* authorized keys file : this is a list of users and hosts that have access via ssh to this account | * authorized keys file : this is a list of users and hosts that have access via ssh to this account | ||
* known hosts file : a list of hosts that have been visited and thus authorized | * known hosts file : a list of hosts that have been visited and thus authorized | ||
| + | |||
| + | ===ssh without passwords=== | ||
| + | ====on From machine==== | ||
| + | * ssh-keygen | ||
| + | * copy public key to To machine | ||
| + | ====on To machine==== | ||
| + | * append the public key to the ~/.ssh/authorized_keys file for the user connecting | ||
| + | ====on From machine==== | ||
| + | * ssh-add to establish identity | ||
| + | * ssh to To machine: you should not have to use a password | ||
| + | |||
| + | ====Troubleshooting==== | ||
| + | * /var/log/secure on the To machine can give good clues about failures | ||
| + | * ssh -v on the From machine can expose some kinds of failures | ||
| + | * su to the user account on the destination to flush out any problems with the account itself | ||
===ssh without passwords for cron === | ===ssh without passwords for cron === | ||
A special private key can be generated without a passphrase. Distribute the public key as normal, but when issuing the ssh command in a script, include the identity (private key) without a passphrase: | A special private key can be generated without a passphrase. Distribute the public key as normal, but when issuing the ssh command in a script, include the identity (private key) without a passphrase: | ||
| − | ssh -i /home/rday/.ssh/cronkey | + | ssh -i /home/rday/.ssh/cronkey <remote machine> command |
There, that wasn't so hard. | There, that wasn't so hard. | ||
Latest revision as of 00:07, 28 March 2012
No matter how many times I configure ssh keys, I rarely have the process go smoothly. It is time to write down how it works so I can get it straight in my head.
Contents
Moving pieces
- ssh-agent : this is client software that can hold credentials for use when connecting to remote hosts, allowing passwordless entry. Use looks like: ssh-agent bash then ssh-add. Often, X sessions can be used as the ssh-agent and configured to prompt when it needs to perform an ssh-add.
- private key : generate this with ssh-keygen. It must have 0600 permissions and usually lives in ~/.ssh
- public key : generate this with ssh-keygen. It must have 0600 permissions and usually lives in ~/.ssh. This file should be distributed to remote hosts and placed in the authorized keys files to allow ssh access to that remote host.
- authorized keys file : this is a list of users and hosts that have access via ssh to this account
- known hosts file : a list of hosts that have been visited and thus authorized
ssh without passwords
on From machine
- ssh-keygen
- copy public key to To machine
on To machine
- append the public key to the ~/.ssh/authorized_keys file for the user connecting
on From machine
- ssh-add to establish identity
- ssh to To machine: you should not have to use a password
Troubleshooting
- /var/log/secure on the To machine can give good clues about failures
- ssh -v on the From machine can expose some kinds of failures
- su to the user account on the destination to flush out any problems with the account itself
ssh without passwords for cron
A special private key can be generated without a passphrase. Distribute the public key as normal, but when issuing the ssh command in a script, include the identity (private key) without a passphrase:
ssh -i /home/rday/.ssh/cronkey <remote machine> command
There, that wasn't so hard.
