Previous Section  < Day Day Up >  Next Section

Recipe 17.2. Setting Up OpenSSH the First Time

17.2.1 Problem

You need to establish a connection between your local workstation and a remote PC. The connection needs to be secure; you don't want your data exposed to prying eyes. (They're there, and you should be worried about them—even if you aren't paranoid.) So you want to set up OpenSSH.

17.2.2 Solution

Install OpenSSH on both machines. sshd, the ssh daemon, must be running on the remote host, so that it can receive connections. Copy the remote host's public key to the local machine's ~/.ssh/known_hosts file, and you're in business.

Starting and stopping sshd on most rpm-based systems is done like this:

# /etc/init.d/sshd start

# /etc/init.d/sshd stop

On Debian, it's slightly different:

# /etc/init.d/ssh start

# /etc/init.d/ssh stop

Always check your init filenames, as they vary on different distributions.

Copying the remote host's public key to your local ~/.ssh/known_hosts file is as simple as connecting to the remote host:

carla@windbag carla$ ssh stinkpad

The authenticity of host 'stinkpad (' can't be established.

RSA key fingerprint is a2:c6:70:3e:73:00:b3:ed:90:b1:9a:bc:e7:d5:32:ba.

Are you sure you want to continue connecting (yes/no)?

Type yes, and it will respond:

Warning: Permanently added 'stinkpad,' (RSA) to the list of known hosts.

carla@stinkpad's password:

Linux stinkpad 2.4.21 #1 Sun Aug 3 20:15:59 PDT 2003 i686 GNU/Linux

Libranet GNU/Linux

Last login: Sat June  3 22:16:24 2004 from :0.0


Now you are logged into your account on the remote PC, and can work just as if you were sitting physically at the remote machine. (To learn how to run a remote X session, see Recipe Recipe 17.11.) To close the session, type exit.

17.2.3 Discussion

Using the simple ssh <hostname> login connects you to another host on your LAN, using the same login. You can connect as a different user with the -l flag:

carla@windbag ~$ ssh -l wilmaf stinkpad

To make an SSH connection over the Internet, you must use the full domain name:

carla@windbag ~$ ssh

Making that initial connection, and copying the host's RSA key, is the riskiest part of setting up SSH. If an intruder managed to compromise your nameserver, she could possibly hijack your SSH session and capture your login. It's a pretty small risk, though, and you can verify the IP address before logging in the first time. To close off this hole, you can manually copy the host's public key to your local ~/.ssh/known_hosts file first. You must edit it slightly; see the examples below.

Host keys are stored in /etc/ssh. These are used to validate the identity of the remote host. This is all you need to allow users to access this machine. All they need is a copy of the public host key in their ~/.ssh/known_hosts files and an account to log into. Some Linux distributions create two key pairs when you install OpenSSH—one RSA key pair and one DSA key pair:

$ ls /etc/ssh



If your system does not create these for you, or you wish to change them, see Recipe Recipe 17.3 to learn how to generate new host keys.

This is what the public rsa key looks like:

$ cat

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA5pSqNmtqRzK2JaLr8qkIQ41nBDLI2JRJ6gRBmwg9gwK3S8xXnMUHIs


0OX0nlC09rNxisHL5GC0qi1+qM= root@windbag

The key itself must be one long, unbroken line—it must not have line breaks, as it does on this page. Copy it to a removeable disk, transfer it to your local ~/.ssh/known_hosts file, and modify it in this manner:, ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA5pSqNmtqRzK2JaLr8qkIQ41nB



As you can see, the hostname and IP address must be written at the beginning of the line, and the hostname must be deleted from the end of the line.

The .pub, or public, keys are world-readable, but private keys must be readable only by the key owner.

17.2.4 See Also

  • ssh(1)

  • SSH, The Secure Shell: The Definitive Guide, by Daniel J. Barrett and Richard Silverman (O'Reilly)

    Previous Section  < Day Day Up >  Next Section