Wednesday, October 24, 2007

ssh keys -- how to setup trust relations

Seting up trust relationship between UNIX hosts is one of the routine requests we get. Here is a brief procedure:

Case I: OpenSSH -> OpenSSH (Simplist)

Steps:
1. Generate SSH Keys

LinuxHostLocal# /usr/bin/ssh-keygen -t dsa

2. Copy Public Key to the Remote Machine

LinuxHostLocal# scp .ssh/id_dsa.pub LinuxHostRemote:/tmp

3. Add Public Key to the list of keys

LinuxHostRemote# cat /tmp/id_dsa.pub >> ~/.ssh/authorized_keys
LinuxHostRemote# rm /tmp/id_dsa.pub


4. Set up permissions

LinuxHostRemote# chmod 640 ~/.ssh/authorized_keys

We can now ssh from LinuxHostLocal to LinuxHostRemote without a password. Make sure never to let anyone get your private key file (keep permissions at 600). Public keys can (and should) be publicly available.


Case II: OpenSSH -> SSH2 (Key conversion will be needed)

From OpenSSH (LinuxLocalHost), to SSH2 (SolarisRemoteHost)

Do the 4 steps in Case I. Since SSH2 cannot directly read an OpenSSH key, we have to do a key conversion here.

1. Convert SSH Public Key to SSH2 Key

LinuxLocalHost# cd ~/.ssh
LinuxLocalHost# /usr/bin/ssh-keygen -e -f id_dsa_pub > id_dsa_ssh2.pub


2. Create the public key file on the Remote Machine that runs SSH2

LinuxLocalHost# scp id_dsa_ssh2.pub SolarisRemoteHost:~/.ssh2/remotehostname.pub

* you will have to supply a passwd at this time; otherwisie use root id to do the scp

2. Add Public Key to the list of keys

SolarisRemoteHost#cd ~/.ssh2
SolarisRemoteHost# echo "key remotehostname.pub" >> ~/.ssh2/authorization



Case III: SSH2 -> OpenSSH ((Again, key converstion is needed)

Now, we'll need to generate a new set of keys on the SSH2 machine, and send its public key to the openssh machine. Again, we will need to convert the public key. This time from SSH2 to OpenSSH form.
* note that the key conversion can only be done on the open ssh side. SSH2, as far as I know now, has not implemented a routine to convert OpenSSH keys.


1. Create SSH2 Keys

SolarisLocalHost# /opt/ssh2/bin/ssh-keygen

example screen:

$ /opt/ssh2/bin/ssh-keygen
Generating 1024-bit dsa key pair
2 Oo.oOo.oOoo.
Key generated.
1024-bit dsa, fsbsc@evitaprod, Wed Oct 24 2007 20:40:27
Passphrase : <<>
$
2. Tell SSH2 who it is

SolarisLocalHost# cd ~/.ssh2
SolarisLocalHost# echo "idkey id_dsa_1024_a" >> .ssh2/identification



3. Set permissions

SolarisLocalHost# chmod 600 idkey id_dsa_1024_a.pub identification

4. Copy the public key to the OpenSSH machine

SolarisLocalHost# scp .ssh/id_dsa_1024_a.pub LinuxRemoteHost:/tmp

5. Convert the public key, and add it authorized_keys2
*note the file name is "authorized_keys2"

LinuxRemoteHost:/usr/bin/ssh-keygen -i -f /tmp/id_dsa_1024_a.pub >> ~/.ssh/authorized_keys2
LinuxRemoteHost:rm /tmp/id_dsa_1024_a.pub

Cheers.

No comments: