Friday, July 24, 2009

SSH Key based authentication setup from openSSH to SSH2

From: http://www.thegeekstuff.com/2008/07/ssh-key-based-authentication-setup-from-openssh-to-ssh2/

The previous articles (openSSH to openSSH setup, SSH2 to SSH2 setup) explains about how to setup key based authentication on the same version of ssh to perform ssh and scp without entering password. This article explains how to setup SSH key based authentication between different version of SSH (from openSSH to SSH2) to perform ssh and scp without entering password.

1. Verify the local-host and remote-host SSH version.

In this example, local-host is running on openSSH and remote-host is running on SSH2.

[local-host]$ ssh -V
OpenSSH_5.0p1, OpenSSL 0.9.8g 19 Oct 2007

[remote-host]$ ssh -V
ssh: SSH Secure Shell 3.2.9.1 (non-commercial version) on i686-pc-linux-gnu
[remote-host]$ ls -l /usr/local/bin/ssh
lrwxrwxrwx 1 root root 4 Mar 10 22:04 /usr/local/bin/ssh -> ssh2

2. Generate key-pair on the local-host using ssh-keygen

[local-host]$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/jsmith/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/jsmith/.ssh/id_rsa.
Your public key has been saved in /home/jsmith/.ssh/id_rsa.pub.
The key fingerprint is:
3b:2a:d2:ac:8c:71:81:7e:b7:31:21:11:b8:e8:31:ad jsmith@local-host

The public key and private key are typically stored in .ssh folder under your home directory. In this example, it is under /home/jsmith/.sshd. You should not share the private key with anybody.

By default the ssh-keygen on openSSH generates RSA key pair. You can also generate DSA key pair using: ssh-keygen -t dsa command.

3. Convert openSSH public key to SSH2 public key.

On local-host that is running openSSH, convert the openSSH public key to SSH2 public key using ssh-keygen as shown below.

[local-host]$ ssh-keygen -e -f ~/.ssh/id_rsa.pub > ~/.ssh/id_rsa_ssh2.pub

4. Install the public-key on the remote-host that is running SSH2.

Create a new public key file on remote-host and copy paste the converted SSH2 key from the local-host.

[remote-host]$ vi ~/.ssh2/local-host_ssh2_key.pub 
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "2048-bit RSA, converted from OpenSSH by jsmith@local-host"
DDDDB3NzaC1yc2EAAAABDmbrdomPh9rWfjZ1+7Q369zsBEa7wS1RxzWRQ0Bmr9FSplI
3ADBEBC/6cbdf/v0r6Cp5y5kusP07AOzo2F7MBDSZBtS/MbYJiIxvocoaxG2bQyz3yYjU
YcpzGMD182bnA8kRxmGg+R5pVXM34lx3iSSgd8r3RzZKnDpEvEInnI7pQvUBoEbYCXPUeZ
LQvQAkz6+Pb6SsNp-dop/qgv9qyfbyMz1iKUZGadG146GtanL5QtRwyAeD187gMzzrGzMFP
LWjdzWpGILdZ5gq7wwRpbcXFUskVrS2ZjDe676XlTN1k5QSZmSYUuttDdrjB5SFiMpsre8
a7cQuMS178i9eDBEC==
---- END SSH2 PUBLIC KEY ----

Add the above public key file name to the authorization file on the remote-host as shown below.

[remote-host]$ vi ~/.ssh2/authorization 
Key local-host_ssh2_key.pub

5. Verify the Login from the local-host to remote-host using the SSH2 key authentication.

[local-host]$ ssh -l jsmith remote-host 
The authenticity of host 'local-host' can't be established.
DSA key fingerprint is a5:f6:2e:e6:a9:b2:7b:0e:e7:ae:cb:6c:7b:f5:6d:06.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'local-host' (DSA) to the list of known hosts.
Enter passphrase for key '/home/jsmith/.ssh/id_rsa':
Last login: Sat Jun 21 2008 23:13:00 -0700 from 192.168.1.102
No mail.
[remote-host]$

There are two ways to perform ssh and scp without entering the password:

  1. No passphrase. While creating key pair, leave the passphrase empty. Use this option for the automated batch processing. for e.g. if you are running a cron job to copy files between machines this is suitable option. You can skip the next step steps for this method.
  2. Use passphrase and SSH Agent. If you are using ssh and scp interactively from the command-line and you don’t want to use the password everytime you perform ssh or scp, I don’t recommend the previous option (no passphrase), as you’ve eliminated one level of security in the ssh key based authentication. Instead, use the passphrase while creating the key pair and use SSH Agent to perform ssh and scp without having to enter the password everytime as explained in the steps below.

6. Start the SSH Agent on local-host

The SSH Agent will be running in the background to hold the private keys and perform ssh and scp without having to enter the passphrase several times.

[local-host]$ ssh-agent $SHELL

7. Load the private key to the SSH agent on the local-host.

[local-host]$ ssh-add
Enter passphrase for /home/jsmith/.ssh/id_rsa:
Identity added: /home/jsmith/.ssh/id_rsa (/home/jsmith/.ssh/id_rsa)

8. Perform SSH or SCP to remote-home from local-host without entering the password.

[local-host]$

[local-host]$ ssh -l jsmith remote-host
Last login: Sat Jun 07 2008 23:03:04 -0700 from 192.168.1.102
No mail.

[remote-host]$

No comments:

Post a Comment

Popular Posts