Seting up trust relationship between UNIX hosts is one of the routine requests we get. Here is a brief procedure:
Case I: OpenSSH -> OpenSSH (Simplist)
Steps:
1. Generate SSH Keys
LinuxHostLocal# /usr/bin/ssh-keygen -t dsa
2. Copy Public Key to the Remote Machine
LinuxHostLocal# scp .ssh/id_dsa.pub LinuxHostRemote:/tmp
3. Add Public Key to the list of keys
LinuxHostRemote# cat /tmp/id_dsa.pub >> ~/.ssh/authorized_keys
LinuxHostRemote# rm /tmp/id_dsa.pub
4. Set up permissions
LinuxHostRemote# chmod 640 ~/.ssh/authorized_keys
We can now ssh from LinuxHostLocal to LinuxHostRemote without a password. Make sure never to let anyone get your private key file (keep permissions at 600). Public keys can (and should) be publicly available.
Case II: OpenSSH -> SSH2 (Key conversion will be needed)
From OpenSSH (LinuxLocalHost), to SSH2 (SolarisRemoteHost)
Do the 4 steps in Case I. Since SSH2 cannot directly read an OpenSSH key, we have to do a key conversion here.
1. Convert SSH Public Key to SSH2 Key
LinuxLocalHost# cd ~/.ssh
LinuxLocalHost# /usr/bin/ssh-keygen -e -f id_dsa_pub > id_dsa_ssh2.pub
2. Create the public key file on the Remote Machine that runs SSH2
LinuxLocalHost# scp id_dsa_ssh2.pub SolarisRemoteHost:~/.ssh2/remotehostname.pub
* you will have to supply a passwd at this time; otherwisie use root id to do the scp
2. Add Public Key to the list of keys
SolarisRemoteHost#cd ~/.ssh2
SolarisRemoteHost# echo "key remotehostname.pub" >> ~/.ssh2/authorization
Case III: SSH2 -> OpenSSH ((Again, key converstion is needed)
Now, we'll need to generate a new set of keys on the SSH2 machine, and send its public key to the openssh machine. Again, we will need to convert the public key. This time from SSH2 to OpenSSH form.
* note that the key conversion can only be done on the open ssh side. SSH2, as far as I know now, has not implemented a routine to convert OpenSSH keys.
1. Create SSH2 Keys
SolarisLocalHost# /opt/ssh2/bin/ssh-keygen
example screen:
$ /opt/ssh2/bin/ssh-keygen
Generating 1024-bit dsa key pair
2 Oo.oOo.oOoo.
Key generated.
1024-bit dsa, fsbsc@evitaprod, Wed Oct 24 2007 20:40:27
Passphrase : <<>
$
2. Tell SSH2 who it is
SolarisLocalHost# cd ~/.ssh2
SolarisLocalHost# echo "idkey id_dsa_1024_a" >> .ssh2/identification
3. Set permissions
SolarisLocalHost# chmod 600 idkey id_dsa_1024_a.pub identification
4. Copy the public key to the OpenSSH machine
SolarisLocalHost# scp .ssh/id_dsa_1024_a.pub LinuxRemoteHost:/tmp
5. Convert the public key, and add it authorized_keys2
*note the file name is "authorized_keys2"
LinuxRemoteHost:/usr/bin/ssh-keygen -i -f /tmp/id_dsa_1024_a.pub >> ~/.ssh/authorized_keys2
LinuxRemoteHost:rm /tmp/id_dsa_1024_a.pub
Cheers.
Wednesday, October 24, 2007
Subscribe to:
Posts (Atom)
