ssh host v client regarding keys
phil at philfixit.info
Mon Feb 16 07:27:42 UTC 2015
Sent from my Samsung Galaxy smartphone.
-------- Original message --------
From: Karl Auer <kauer at biplane.com.au>
Date:16/02/2015 5:28 PM (GMT+10:00)
To: ubuntu-users at lists.ubuntu.com
Subject: Re: ssh host v client regarding keys
On Mon, 2015-02-16 at 05:13 +0000, thufir wrote:
> on the host, I created a key with ssh-keygen -t rsa but that's on the pc
> which I'm connecting. do I transfer that key to the client with ssh-copy
> id ? Or the other way around?
Host: The system you are connecting TO
Client: The system you are connecting FROM
Assuming cuser on the client wants lo log into the host as huser:
On the client, run ssh-keygen as cuser to create a ~cuser/.ssh and a new
key pair. Put the new key pair in ~cuser/.ssh (that's the default)
unless you know exactly what you are doing. If cuser already has a
suitable directory and key pair, skip this step.
On the host, run ssh-keygen as huser to create ~huser/.ssh and a new key
pair. Put the new key pair in ~huser/.ssh (that's the default) unless
you know exactly what you are doing. If huser already has a suitable
directory and key pair, skip this step. Otherwise, delete the generated
keys afterwards. You don't need them for logging in from the client.
Now copy the PUBLIC part of cuser's key (that's the file with the .pub
extension) from ~cuser/.ssh into ~huser/.ssh on the host.
In ~huser/.ssh on the host, append the newly copied public key
Finally, delete the public key from ~huser/.ssh
A couple of points though:
- DO NOT copy your private key to anywhere
- DO NOT create keys without passphrases
- make your passphrases very hard to guess
- authorized_keys should be world-readable
- authorized_keys should be writable only by the owner
- once you have publickey-protected access, consider
turning off password-only access
There are lots of short-cuts and additional ways to do things, but for
the sake of obviousness, I've described it in clunky but simple steps.
Alternatively, while logged in as cuser on the client, do something like
this (untested, just to give you the idea). This requires you to enter
the huser password two or three times):
ssh-keygen -t rsa -b 4096 [if cuser doesn't have keys]
ssh huser at host ssh-keygen [if huser doesn't have .ssh]
scp .ssh/id_rsa.pub huser at host:.ssh/cuser.pub
ssh huser at host "cat .ssh/cuser.pub >> .ssh/authorized_keys ;
Another alternative, if you have a terminal window open on both host and
client, is to display cuser's public key in the client window, edit
~huser/.ssh/authorized_keys in the host window, and just copy and paste
the key into authorized_keys.
Karl Auer (kauer at biplane.com.au)
Thanks Karl thats one of the best and easiest descriptions i have read. And ta to thufir for asking . . .
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the ubuntu-users