netbsd-help: Re: scp authorized keys

Subject: Re: scp authorized keys
To: village idiot <village_ldi0t@yahoo.com>
From: David S. <davids@idiom.com>
List: netbsd-help
Date: 04/12/2002 21:29:16
> 
> I am trying to figure out how to set up authorized
> keys to be able to use secure copy and ssh login
> without promting for password. 
> 
> I thought all I had to do was start the key-gen thing.
> Then copy the identity.pub into authorized_keys on
> other machines.

To {ssh, scp} from HostA to HostB without issuing a password:

	On both HostA and HostB,

		mkdir ~/.ssh
		chmod 0700 ~/.ssh

	On HostA,

		cd .ssh
		ssh-keygen -t rsa1 -C "Some comment"
		ssh-keygen -t rsa -C "Some comment"
		ssh-keygen -t dsa -C "Some comment"

	Each of the 'ssh-keygen' commands will prompt you for a
	passphrase.  Choose something easy to remember but difficult
	to guess.  The commands will produce the files

		~/.ssh/identity, ~/.ssh/identity.pub
		~/.ssh/id_rsa, ~/.ssh/id_rsa.pub
		~/.ssh/id_dsa, ~/.ssh/id_dsa.pub

	respectively.  The "*.pub" files are your public keys.  The
	others are your private keys - guard them carefully.  If
	they're stolen, then your account on HostB, or any other
	machine where you've set up public-key authentication, is
	wide open to the thief.

	On HostA,

		scp ~/.ssh/identity.pub HostB:~/.ssh/authorized_keys
		cp ~/.ssh/id_rsa.pub some_temp_file
		cat ~/.ssh/id_dsa.pub >> some_temp_file
		scp some_temp_file HostB:~/.ssh/authorized_keys2

	On HostB,

		chmod 0600 ~/.ssh/authorized_keys
		chmod 0600 ~/.ssh/authorized_keys2

	Now you should be able to 'ssh' from HostA to HostB without
	a password, but 'ssh' will prompt you for a passphrase,
	because it needs to decrypt your private keys. (Not much progress,
	eh?)  You can get around that with 'ssh-agent', 'ssh-add', and 
	'ssh-askpass'.  On HostA, make a ~/.xsession file that looks like

		#! /bin/sh
		SSH_AGENT=/usr/bin/ssh-agent
		SSH_ADD=/usr/bin/ssh-add
		SSH_ASKPASS=/usr/X11R6/bin/ssh-askpass
		export SSH_AGENT SSH_ADD SSH_ASKPASS
		exec $SSH_AGENT /bin/sh -c "$SSH_ADD $HOME/.ssh/identity $HOME/.ssh/id_rsa $HOME/.ssh/id_dsa; $HOME/.xinitrc"

	Make sure ~/.xsession is executable

		chmod +x ~/.xsession

	Now when you log-in to HostA console, before your window manager 
	starts put you'll see an X dialog box prompting you for your 
	passphrases; type them in.  Your X session will be a sub-proccess 
	of the 'ssh-agent' process, and that process will hold your decrypted
	private keys.  Any 'ssh' process started in your X session will
	also be a sub-process of 'ssh-agent', and will have access to your
	keys.  The upshot is, {ssh, scp} from HostA to HostB with no
	password or passphrase.

	(N.B.: you can could also generate keys without passphrase, but
	that's a bad idea.)

	Simple, huh?


David S.


>