|< Day Day Up >|
Recipe 17.2. Setting Up OpenSSH the First Time
You need to establish a connection between your local workstation and a remote PC. The connection needs to be secure; you don't want your data exposed to prying eyes. (They're there, and you should be worried about them—even if you aren't paranoid.) So you want to set up OpenSSH.
Install OpenSSH on both machines. sshd, the ssh daemon, must be running on the remote host, so that it can receive connections. Copy the remote host's public key to the local machine's ~/.ssh/known_hosts file, and you're in business.
# /etc/init.d/sshd start # /etc/init.d/sshd stop
On Debian, it's slightly different:
# /etc/init.d/ssh start # /etc/init.d/ssh stop
Always check your init filenames, as they vary on different distributions.
Copying the remote host's public key to your local ~/.ssh/known_hosts file is as simple as connecting to the remote host:
carla@windbag carla$ ssh stinkpad The authenticity of host 'stinkpad (192.168.1.100)' can't be established. RSA key fingerprint is a2:c6:70:3e:73:00:b3:ed:90:b1:9a:bc:e7:d5:32:ba. Are you sure you want to continue connecting (yes/no)?
Type yes, and it will respond:
Warning: Permanently added 'stinkpad,192.168.1.100' (RSA) to the list of known hosts. carla@stinkpad's password: Linux stinkpad 2.4.21 #1 Sun Aug 3 20:15:59 PDT 2003 i686 GNU/Linux Libranet GNU/Linux Last login: Sat June 3 22:16:24 2004 from :0.0 carla@stinkpad:~$
Now you are logged into your account on the remote PC, and can work just as if you were sitting physically at the remote machine. (To learn how to run a remote X session, see Recipe Recipe 17.11.) To close the session, type exit.
carla@windbag ~$ ssh -l wilmaf stinkpad
To make an SSH connection over the Internet, you must use the full domain name:
carla@windbag ~$ ssh stinkpad.test.net
Making that initial connection, and copying the host's RSA key, is the riskiest part of setting up SSH. If an intruder managed to compromise your nameserver, she could possibly hijack your SSH session and capture your login. It's a pretty small risk, though, and you can verify the IP address before logging in the first time. To close off this hole, you can manually copy the host's public key to your local ~/.ssh/known_hosts file first. You must edit it slightly; see the examples below.
Host keys are stored in /etc/ssh. These are used to validate the identity of the remote host. This is all you need to allow users to access this machine. All they need is a copy of the public host key in their ~/.ssh/known_hosts files and an account to log into. Some Linux distributions create two key pairs when you install OpenSSH—one RSA key pair and one DSA key pair:
$ ls /etc/ssh ssh_host_dsa_key ssh_host_dsa_key.pub ssh_host_rsa_key ssh_host_rsa_key.pub
If your system does not create these for you, or you wish to change them, see Recipe Recipe 17.3 to learn how to generate new host keys.
This is what the public rsa key looks like:
$ cat ssh_host_rsa_key.pub ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA5pSqNmtqRzK2JaLr8qkIQ41nBDLI2JRJ6gRBmwg9gwK3S8xXnMUHIs u8wh5S1oei8hs47x2I9cnNpxHfj1wQWwqP6lVyelDfD+y+uWIz0UGzUXN5IrqYZ70EdQ4Xn++Jl1kmFG6Ll6KySb07 0OX0nlC09rNxisHL5GC0qi1+qM= root@windbag
The key itself must be one long, unbroken line—it must not have line breaks, as it does on this page. Copy it to a removeable disk, transfer it to your local ~/.ssh/known_hosts file, and modify it in this manner:
windbag.test.net,192.168.1.6 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA5pSqNmtqRzK2JaLr8qkIQ41nB DLI2JRJ6gRBmwg9gwK3S8xXnMUHIsu8wh5S1oei8hs47x2I9cnNpxHfj1wQWwqP6lVyelDfD+y+uWIz0UGzUXN5Irq YZ70EdQ4Xn++Jl1kmFG6Ll6KySb070OX0nlC09rNxisHL5GC0qi1+qM=
As you can see, the hostname and IP address must be written at the beginning of the line, and the hostname must be deleted from the end of the line.
The .pub, or public, keys are world-readable, but private keys must be readable only by the key owner.
17.2.4 See Also
|< Day Day Up >|