Requirement :
Understanding off Public | Private key infrastructrure.Terminology :
- Public key : it looks like the lock, it will stay on the server that you want to ssh to.
- Private key : it looks like the key, it stays on your pc and you have to make it as secret as possible. No one will see this key except just you.
- Both keys use a pair of mathematically related cryptographic keys. If one key is used to encrypt information, then only the related key can decrypt that information.
Primary steps :
- Create the keypair on the client.
- Copy the Public Key to the Server.
- Done.
Steps in detail :
OK, by default sshd service on the server accepts publickey authentication :
client# ssh -v 10.254.10.30
OpenSSH_5.8p2, OpenSSL 1.0.0
You need to type password to log on.
OpenSSH_5.8p2, OpenSSL 1.0.0
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to 10.254.10.30 [10.254.10.30] port 22.
debug1: Connection established.
...
debug1: Authentications that can continue: publickey,password
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Next authentication method: password
root@10.254.10.30's password:
You need to type password to log on.
It's time to make it run without password.
1. Create the keypair on the client.
Client# cd ~
Client# ssh-keygen
Generating public/private rsa key pair.
The fingerprint maybe different on yours.
Client# cat .ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAl99XlhWZF3vw3aePvYGdcWPuXi8VYP4fHEP6gLCFvlS1yQ9hvcPzPiN4czUt1BCXc1nZIzrdtB
Client# cat .ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
Client# ssh-copy-id -i .ssh/id_rsa.pub root@10.254.10.30Client# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
6d:0f:a5:e9:7e:87:2c:4c:22:27:cb:40:38:0d:48:ad
The fingerprint maybe different on yours.
After that, we got 2 files :
- Public Key : id_rsa.pub
- Private Key : id_rsa
Let's see what are they :
The Public Key
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAl99XlhWZF3vw3aePvYGdcWPuXi8VYP4fHEP6gLCFvlS1yQ9hvcPzPiN4czUt1BCXc1nZIzrdtB
...
dRTJJevosba4VYfXsx1NFbm7YJdbGShsQpZM3t7D4D7iuWyd8nGKgojJ5aqHCwiSnFCez
The Private Key
-----BEGIN RSA PRIVATE KEY-----
MIIEoQIBAAKCAQEAl99XlhWZF3vw3aePvYGdcWPuXi8VYP4fHEP6gLCFvlS1yQ9h
vcPzPiN4czUt1BCXc1nZIzrdtBlRsPjV1HiHNB5LTQF7HKrAIwHN9LlHwfDt0VPW
...
NsuABoq+2FZYVM9wjaJvWa9gCqRj6iyOKUj7nIsUW57v53bVug==
-----END RSA PRIVATE KEY-----
2. Copy the Public Key to the Server.
The authenticity of host 'ServerTest(10.254.10.30)' can't be established.
RSA key fingerprint is 79:04:3d:72:08:91:e5:05:0a:06:97:b2:04:2d:7e:31.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'ServerTest,10.254.10.30' (RSA) to the list of known hosts.
root@10.254.10.30's password:
Now try logging into the machine, with "ssh 'root@10.254.10.30'", and check in:
.ssh/authorized_keys
to make sure we haven't added extra keys that you weren't expecting.
You need to type the password to copy the id_rsa.pub to the server.
Let's check if that file has been placed on the server.
Server# cd ~
Server# ls -al .ssh/
total 20
drwx------ 3 root root 4096 Jun 18 22:17 .
drwxr-x--- 5 root root 4096 Jun 18 22:15 ..
-rw------- 1 root root 394 Jun 18 22:17 authorized_keys
Notice to see the permission of that file.
Let's see what it is.
Server# cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAl99XlhWZF3vw3aePvYGdcWPuXi8VYP4fHEP6gLCFvlS1yQ9hvcPzPiN4czUt1BCXc1nZIzrdtB...
Notice that it is identical to the file id_rsa.pub on the client.Let's see what it is.
Server# cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAl99XlhWZF3vw3aePvYGdcWPuXi8VYP4fHEP6gLCFvlS1yQ9hvcPzPiN4czUt1BCXc1nZIzrdtB...
dRTJJevosba4VYfXsx1NFbm7YJdbGShsQpZM3t7D4D7iuWyd8nGKgojJ5aqHCwiSnFCez
3. Done.
Back to the client to see what happen when making ssh again:
Client# ssh -v 10.254.10.30
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to [10.254.10.30] port 22.
debug1: Connection established.
...
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /root/.ssh/id_rsa
...
debug1: Authentication succeeded (publickey).
No more typing password and it works like a charm.
Known issues :
+ If it still doesn't work, make sure you have disabled the SELINUX feature.
Server# cat /etc/selinux/config
No comments:
Post a comment